Terraform:导入 aws 资源时出现凭据错误 - 调用 sts:GetCallerIdentity: ExpiredToken 时出错 [英] Terraform: Credential error when importing aws resources - error calling sts:GetCallerIdentity: ExpiredToken
问题描述
我有一些 aws 资源要导入到我的 terraform 状态.
I have some aws resources that I want to import into my terraform state.
我已经在 ~/.aws/credentials 文件中设置了 aws 凭据:
I have set the aws credentials in ~/.aws/credentials file:
[my-profile]
aws_access_key_id=<ACCESS_KEY_ID>
aws_secret_access_key=<SECRET_ACCESS_KEY>
aws_session_token=<SESSION_TOKEN>
terraform init 成功运行,但是当我尝试使用以下命令导入资源时:
terraform init ran successfully, but when I try to import the resources with:
terraform import -var-file=config/us-west-2/default.tfvars -var-file=variables.tfvars -var-file=../globals.tfvars -var profile=my-profile -var region=us-west-2 -var tfstate_bucket=<MY_TF_BUCKET> -no-color <RESOURCE_NAME> <RESOURCE_ID>
即使我的凭据没有过期,我也会收到以下错误:
I am getting following error even when my credentials have not expired:
Error: error using credentials to get account ID: error calling sts:GetCallerIdentity: ExpiredToken: The security token included in the request is expired
status code: 403, request id: 1684ef71-ecea-4fed-bcf5-a32eca688ab4
请注意,我在另一个非生产 aws 帐户中运行了类似的导入,但是当我尝试针对生产帐户运行它时出现此错误.不过,我确实拥有对 Production 帐户的高级用户访问权限.
Please Note that I have ran similar imports in another non-production aws account, but I get this error when I try to run it against production account. I do have power-user access to the Production account though.
地形版本:
Terraform v0.12.29
+ provider.aws v3.14.1
+ provider.null v2.1.2
+ provider.random v2.3.1
+ provider.template v2.1.2
在我的 mac 上打印环境变量
Printing environment variables on my mac
$ env
TERM_PROGRAM=Apple_Terminal
TERM=xterm-256color
SHELL=/bin/bash
TMPDIR=/var/folders/jz/w997kd9x4sb983kdyj8wjlkc0000gp/T/
GRADLE_HOME=/Users/john/.sdkman/candidates/gradle/current
Apple_PubSub_Socket_Render=/private/tmp/com.apple.launchd.k5lBL3QJ9R/Render
TERM_PROGRAM_VERSION=421.2
TERM_SESSION_ID=D2EB66E5-2DD7-456A-8E16-A0E00CE15112
SDKMAN_PLATFORM=Darwin
USER=john
SDKMAN_CANDIDATES_API=https://api.sdkman.io/2
SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.GG8D8SvuqA/Listeners
PATH=/Users/john/.sdkman/candidates/gradle/current/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
PWD=/Users/john/MyProjects/tf/foobar
LANG=en_US.UTF-8
SDKMAN_VERSION=5.7.4+362
XPC_FLAGS=0x0
XPC_SERVICE_NAME=0
HOME=/Users/john
SHLVL=1
LOGNAME=john
SDKMAN_DIR=/Users/john/.sdkman
SDKMAN_CANDIDATES_DIR=/Users/john/.sdkman/candidates
_=/usr/bin/env
编辑 2:当我清理了所有旧的配置文件和凭据时,~/.aws/credentials 和 ~/.aws/config 只有 my-profile<的条目/code> 没有别的.
EDIT 2:
When I cleaned up all the old profiles and credentials so that ~/.aws/credentials and ~/.aws/config only has entry for my-profile and nothing else.
还有所有相关的环境变量:
Also all related environment variables:
for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN ; do eval unset $var ; done
所以现在我得到:
Error: No valid credential sources found for AWS Provider.
Please see https://terraform.io/docs/providers/aws/index.html for more information on
providing credentials for the AWS Provider
推荐答案
正如评论中所讨论的,最可能的答案是您存储"了一些旧凭据.某处:
As discussed in the comments, the most likely answer is that you have some old credentials "stored" somewhere:
- 仍然在当前终端会话的环境变量中
- 或在您的命令提到的
.tfvars文件之一中
- either still in your current terminal session's environment variables
- or in one of the
.tfvarsfile your command mentions
我建议清理它们.获取新凭据.然后再试一次.
I suggest to clean them up. Get new credentials. And try again.
这篇关于Terraform:导入 aws 资源时出现凭据错误 - 调用 sts:GetCallerIdentity: ExpiredToken 时出错的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
