Terraform: remote config for S3 can not use assume role

Created on 4 Jun 2016 · 6Comments · Source: hashicorp/terraform

I have two AWS accounts development and production.
There is an IAM user in development, and there is an IAM role in production (production has no IAM users).
And the IAM user in development can behave as the IAM role in production.

I can use aws s3 ls --profile=development and aws s3 ls --profile=production correctly.
And I can use terraform remote config -backend=s3 -backend-config="profile=development" ... correctly too.
But I can't use terraform remote config -backend=s3 -backend-config="profile=production" ....

Error message is * No valid credential sources found for AWS S3 remote..
Maybe, remote config for S3 checks only profiles in ~/.aws/credentials.

~/.aws/credentials

[default]
aws_access_key_id=xxx
aws_secret_access_key=xxx

[development]
aws_access_key_id=yyy
aws_secret_access_key=yyy

~/.aws/config

[default]
region=ap-northeast-1

[profile development]
region=ap-northeast-1

[profile production]
source_profile=development
role_arn=arn:aws:iam::xxx:role/role-xxx
region=ap-northeast-1

backens3 enhancement

Source

t-yamo

👍13

All 6 comments

Hello,

Same request: I have about 10 AWS profiles in my ~/.aws/config (might push them to ~/.aws/credentials, not a big deal).

Would be marvelous if terraform remote config … could take either -profile or, as it's specific to S3, -backend-config="profile=foo"

The second solution might be the best regarding future supports, as proposed by @t-yamo

cjeanneret on 16 Jun 2016

👍1

bartwalczak1 on 22 Sep 2016

This might be related: https://github.com/hashicorp/terraform/pull/10067

osterman on 11 Nov 2016

I have the exact config as @t-yamo in terms of aws config and I am still seeing this error in Terraform 0.11.x

Just to clarify, my aws config - ~/.aws/credentials

[account_1]
aws_access_key_id=yyy
aws_secret_access_key=yyy

~/.aws/config

[profile dev]
source_profile=account_1
role_arn=arn:aws:iam::xxx:role/role-xxx

My terraform code for remote state

terraform {
  required_version = "= 0.11.7"

  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-lock"
  }
}

After that I did the following commands

export AWS_PROFILE=dev
terraform init

I get this error instead

Initializing the backend...

Error configuring the backend "s3": No valid credential sources found for AWS Provider.
  Please see https://terraform.io/docs/providers/aws/index.html for more information on
  providing credentials for the AWS Provider

Please update the configuration in your Terraform files to fix this error.
If you'd like to update the configuration interactively without storing
the values in your configuration, run "terraform init".

My questions are

What is the expected work-around to this? Is it to simply set an assume_role parameter in the backend config?
Is the backend config expected to behave this way with assume-roles in the AWS profile?

mechastorm on 9 Jan 2019

👍1

Hi all! Sorry for the long silence on this issue. We've just merged a PR updating the aws sdk which adds support for role_arn in aws configuration files. This will be in the next release of terraform.

Since the fix is merged into master, I am going to close this issue. Thanks! 🎉

mildwonkey on 11 Oct 2019

👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.