This repository was archived by the owner on Aug 7, 2023. It is now read-only.
This repository was archived by the owner on Aug 7, 2023. It is now read-only.
bless bless_ca fails to call KMS when using roles #29
Open
Description
Running a bare minimum config:
provider "bless" {
region = "eu-west-1"
}
resource "bless_ca" "fooca" {
kms_key_id = "65ba1ca8-222a-2226-2222-020fc86a71d7"
}
This tries to find the key in the current AWS role, but we use role assuming, so our base role doesn't actually have access to the account and resources. The general aws provider does role-assuming based on how it's configured but bless doesn't currently support that so it cannot switch to the correct role to access KMS. Profile doesn't work either because our base STS credentials are env-only thus role-assuming based on ~/.aws/config fails with a message about the base profile not having credentials (which is correct, the base profile is loaded via aws-vault using STS creds):
provider "aws" {
version = ">= 2.0.0"
region = "eu-west-1"
assume_role {
role_arn = "${lookup(var.role_arns, var.account)}"
}
}
A few edits later: I suppose this is more like a feature request than a bug.
Metadata
Metadata
Assignees
Labels
No labels