Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials #347

Open
choonming opened this issue Jan 4, 2023 · 2 comments
Open

Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials #347

choonming opened this issue Jan 4, 2023 · 2 comments

Comments

@choonming
Copy link

I've been trying to get the plugin to work on with my packer template. I'm using the Amazon EBS provider for my build and it works successfully with the assume role. However, when it comes to the post-provisioner stage, I get the following error saying invalid credentials when it is working on the builder.

source "amazon-ebs" "amazon-linux" {
  ami_name            = "${var.ami_prefix}-${var.type}-{{ timestamp }}"
  ami_regions         = var.ami_regions
  instance_type       = var.instance_type
  region              = var.primary_region
  source_ami          = data.amazon-ami.amazon-linux.id
  ebs_optimized       = true
  ena_support         = true
  enable_t2_unlimited = false

  ssh_interface        = "session_manager"
  ssh_username         = "ec2-user"
  pause_before_ssm     = "30s"
  iam_instance_profile = "packer-imagebuilder-ssm"

  vpc_filter {
    filters = {
      "tag:Name" : "packer-imagebuilder",
      "isDefault" : "false",
    }
  }

  subnet_filter {
    filters = {
      "tag:Name" = "packer-imagebuilder-private-${var.primary_region}a"
    }
    most_free = true
    random    = true
  }

  assume_role {
    role_arn     = var.deployment_role_arn
    session_name = "packer-imagebuilder"
  }
}

build {
  sources = [
    "source.amazon-ebs.amazon-linux"
  ]
  
  post-processor "amazon-ami-management" {
    regions       = concat([var.primary_region], var.ami_regions)
    identifier    = "${var.ami_prefix}-${var.type}-"
    keep_releases = 3

    assume_role {
      role_arn     = var.deployment_role_arn
      session_name = "packer-imagebuilder"
    }
  }

2023/01/04 12:39:50 [INFO] (telemetry) ending amazon-ebs.amazon-linux
2023/01/04 12:39:50 [INFO] (telemetry) Starting post-processor amazon-ami-management
==> amazon-ebs.amazon-linux: Running post-processor:  (type amazon-ami-management)
    amazon-ebs.amazon-linux (amazon-ami-management): Processing in af-south-1
2023/01/04 12:39:51 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:51 Running the post-processor
2023/01/04 12:39:51 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:51 [INFO] AWS Auth provider used: "EnvProvider"
2023/01/04 12:39:51 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:51 [INFO] Attempting to AssumeRole arn:aws:iam::xxxxxx:role/packer (SessionName: "packer-imagebuilder", ExternalId: "")
2023/01/04 12:39:51 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:51 Found region eu-west-1
2023/01/04 12:39:51 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:51 [INFO] AWS Auth provider used: "AssumeRoleProvider"
2023/01/04 12:39:53 [INFO] (telemetry) ending amazon-ami-management
2023/01/04 12:39:53 Deleting original artifact for build 'amazon-ebs.amazon-linux'
2023/01/04 12:39:53 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:53 error: AuthFailure: AWS was not able to validate the provided access credentials
2023/01/04 12:39:53 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 	status code: 401, request id: d36201a0-eded-457c-815c-af2f417870e4
2023/01/04 12:39:53 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:53 Deregistering image ID (ami-04bc46ae4f51f43db) from region (af-south-1)
2023/01/04 12:39:58 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:58 Deregistered AMI id: ami-04bc46ae4f51f43db
2023/01/04 12:39:59 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:59 Deleted snapshot: snap-00c57b2db9bc56025
2023/01/04 12:39:59 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:59 Deregistering image ID (ami-008353bfaf323c514) from region (ap-southeast-1)
2023/01/04 12:40:04 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:40:04 Deregistered AMI id: ami-008353bfaf323c514
2023/01/04 12:40:06 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:40:06 Deleted snapshot: snap-0bec51acca6efcde6
2023/01/04 12:40:06 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:40:06 Deregistering image ID (ami-0bdf2163907803ea4) from region (eu-west-1)
2023/01/04 12:40:09 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:40:09 Deregistered AMI id: ami-0bdf2163907803ea4
Build 'amazon-ebs.amazon-linux' errored after 11 minutes 38 seconds: 1 error(s) occurred:

* Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials
	status code: 401, request id: xxxxx

==> Wait completed after 11 minutes 38 seconds

==> Some builds didn't complete successfully and had errors:

--> amazon-ebs.amazon-linux: 1 error(s) occurred:
* Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials

	status code: 401, request id: xxxxxxx
==> Wait completed after 11 minutes 38 seconds
2023/01/04 12:40:10 machine readable: error-count []string{"1"}
==> Some builds didn't complete successfully and had errors:
2023/01/04 12:40:10 machine readable: amazon-ebs.amazon-linux,error []string{"1 error(s) occurred:\n\n* Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials\n\tstatus code: 401, request id: * Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials
	status code: 401, request id: xxxxxxx

==> Builds finished but no artifacts were created.
xxxxxxx"}

* Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials
	status code: 401, request id: xxxxxx
==> Builds finished but no artifacts were created.
2023/01/04 12:40:10 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:40:10 Deleted snapshot: snap-013963d646f90692f
2023/01/04 12:40:10 [INFO] (telemetry) Finalizing.
2023/01/04 12:40:11 waiting for all plugin processes to complete...
2023/01/04 12:40:11 /Users/choon_ming_goh/.config/packer/plugins/github.com/wata727/amazon-ami-management/packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64: plugin process exited
2023/01/04 12:40:11 /Users/choon_ming_goh/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64: plugin process exited
2023/01/04 12:40:11 /Users/choon_ming_goh/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64: plugin process exited
@wata727
Copy link
Owner

wata727 commented Jan 5, 2023

This error seems to occur when using an old STS token.
https://aws.amazon.com/premiumsupport/knowledge-center/iam-validate-access-credentials

The last release was over a year ago, so it's possible that only tokens issued by the post processor are still version 1.

@wata727
Copy link
Owner

wata727 commented Jan 5, 2023

v1.3.1 has been released. Please try this version.
https://github.com/wata727/packer-plugin-amazon-ami-management/releases/tag/v1.3.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@choonming @wata727