Post

GitHub Actions - Packer error NoCredentialProviders

Posted
By Julius Gamanyi
2 min read

Problem: Packer shows aws.Config.CredentialsChainVerboseErrors

When running Packer within GitHub Actions, I saw this error:

1
2
3
4
5
6

==> amazon-ebs.ami_name: Stopping the source instance...
    amazon-ebs.ami_name: Stopping instance
==> amazon-ebs.ami_name: 	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
==> amazon-ebs.ami_name: Error stopping instance: NoCredentialProviders: no valid providers in chain. Deprecated.
==> amazon-ebs.ami_name: 	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
==> amazon-ebs.ami_name: Provisioning step had errors: Running the cleanup provisioner, if present...

Similar messages for Terminating the source AWS instance are displayed.

My Packer with GH-Action is setup in this way:

  • packer folder
  • github actions workflow yml
    • assume role
    • invoke packer

The workflow yaml looks like:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

# .github/workflows/ci.yml
. . .
jobs:
  packer-build:
    name: packer-build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        
      - name: packer init
        env:
          packer-template-folder: ./packer
        run: packer init $        
        
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v3
        env:
          accountid: 123456789
          region: us-east-1
          role: cicd
        with:
          aws-region: $
          role-to-assume: arn:aws:iam::$:role/$
          role-duration-seconds: 900
          role-skip-session-tagging: true
        
      - name: My Packer build
        env:
          packer-template-folder: ./packer
          PKR_VAR_gh_repo_name: my-repo
        run: | 
          packer validate -syntax-only $packer-template-folder
          packer validate $packer-template-folder
          packer build $packer-template-folder

Troubleshooting

This stackoverflow answer (https://stackoverflow.com/a/44094893) gave me a hint, that is, look at the credentails.

  • I compared another pipeline that works with this one. I specifically looked at the assumed roles and their permissions. Though the names are different, yet both have the same IAM permissions.
  • Removing the AWS_* env variables didn’t make much sense, because when we assume a role, these AWS_* envv ars are set.
  • Swapping the steps in the build script also provided a hint - when I move the last step to be the first, that step works. But when I return it to its last place, it doesn’t work.
  • Looking at how long that build step takes provided the final hint - it took longer than I expected. Adjusting the duration of the assumed role in GHA workflow solved the problem.

I concluded that the role was assumed for x minutes. When packer came to run the last step, the assumed role had expired. And so Packer didn’t have any way to authenticate with AWS.

Solution

On Line 24, increase the duration from 900 to 1500. That is, change role-duration-seconds: 900 to role-duration-seconds: 1500

github-actions packer configure-aws-credentials aws
This post is licensed under CC BY 4.0 by the author.