Skip to content

Comments

fix: ensure temporary IAM role is removed on EC2 dry-run or attach failure#648

Open
gnought wants to merge 1 commit intohashicorp:mainfrom
gnought:fix/remove_temp_role
Open

fix: ensure temporary IAM role is removed on EC2 dry-run or attach failure#648
gnought wants to merge 1 commit intohashicorp:mainfrom
gnought:fix/remove_temp_role

Conversation

@gnought
Copy link
Contributor

@gnought gnought commented Feb 16, 2026
edited
Loading

Description

A temporary IAM role is created but not cleaned up when an error occurs while attaching the role to the instance profile.

packer-plugin-amazon/builder/common/step_iam_instance_profile.go

Lines 151 to 159 in 49961be

_, err = iamsvc.AddRoleToInstanceProfile(&iam.AddRoleToInstanceProfileInput{
RoleName: roleResp.Role.RoleName,
InstanceProfileName: profileResp.InstanceProfile.InstanceProfileName,
})
if err != nil {
ui.Error(err.Error())
state.Put("error", err)
return multistep.ActionHalt
}

The same issue also occurs when an error is returned during the EC2 dry-run test.

packer-plugin-amazon/common/step_iam_instance_profile.go

Lines 229 to 234 in 49961be

if err != nil {
err := fmt.Errorf("timed out waiting for IAM changes to propagate to EC2: %s", err)
log.Printf("[DEBUG] %s", err.Error())
state.Put("error", err)
return multistep.ActionHalt
}

The root clause is the code skips setting s.roleIsAttached = true. This PR ensures that the temporary role is properly removed in both failure scenarios.

A excerpt of packer log:

2026/02/16 13:24:11 ui: 2026-02-16T13:24:11+08:00: ==> ubuntu.amazon-ebssurrogate.jammy: Deleting temporary role...
2026/02/16 13:24:11 ui error: 2026-02-16T13:24:11+08:00: ==> ubuntu.amazon-ebssurrogate.jammy: Error operation error IAM: DeleteRole, https response error StatusCode: 409, RequestID: d1062ddd-a4a5-4032-a2ec-6a84c7514b9d, DeleteConflict: Cannot delete entity, must remove roles from instance profile first.. Please delete the role manually: packer-6992a9f0-07ce-f274-22b5-311327335af4
2026/02/16 13:24:11 ui: 2026-02-16T13:24:11+08:00: ==> ubuntu.amazon-ebssurrogate.jammy: Deleting temporary instance profile...
2026/02/16 13:24:12 ui error: 2026-02-16T13:24:12+08:00: ==> ubuntu.amazon-ebssurrogate.jammy: Error operation error IAM: DeleteInstanceProfile, https response error StatusCode: 409, RequestID: d349dd8a-9c8f-48e6-9242-fecbb5e986ae, DeleteConflict: Cannot delete entity, must remove roles from instance profile first.. Please delete the instance profile manually: packer-6992a9f0-07ce-f274-22b5-311327335af4

Resolved Issues

If your PR resolves any open issue(s), please indicate them like this so they will be closed when your PR is merged:

Rollback Plan

If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

No

@gnought gnought requested a review from a team as a code owner February 16, 2026 05:01
@gnought gnought changed the title Ensure temporary IAM role is removed on EC2 dry-run or attach failure fix: ensure temporary IAM role is removed on EC2 dry-run or attach failure Feb 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gnought