Terraform: Environment variables not being read

Created on 1 Sep 2016  ยท  8Comments  ยท  Source: hashicorp/terraform

Terraform Version

[~/terraform]$ terraform -v Terraform v0.7.2

Affected Resource(s)

  • Connecting to AWS

    Tests

Test 1 - Token as an environment variable

[~/terraform]$ cat main.tf 
provider "aws" {
  access_key = "MY_AWS_ACCESS_KEY"
  secret_key = "MY_AWS_SECRET_KEY"
}
[~/terraform]$ env | grep AWS
AWS_SECURITY_TOKEN=MY_AWS_SECURITY_TOKEN
[~/terraform]$ terraform plan
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: 

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.

Error refreshing state: 1 error(s) occurred:

* 1 error(s) occurred:

* InvalidClientTokenId: The security token included in the request is invalid.
        status code: 403, request id: 1fd82d47-7034-11e6-9c8b-f799745f39a7

Test 2 - Environment variables only

[~/terraform]$ cat main.tf 
provider "aws" {}
[~/terraform]$ env | grep AWS
AWS_SECURITY_TOKEN=MY_AWS_SECURITY_TOKEN
AWS_ACCESS_KEY_ID=MY_AWS_ACCESS_KEY
AWS_SECRET_ACCESS_KEY=MY_AWS_SECRET_KEY
[~/terraform]$ terraform plan
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: 

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.

Error refreshing state: 1 error(s) occurred:

* 1 error(s) occurred:

* InvalidClientTokenId: The security token included in the request is invalid.
        status code: 403, request id: eee7aeda-7034-11e6-ba7c-b9e8257b7e16

Test 3 - Access key as an environment variable

[~/terraform]$ cat main.tf 
provider "aws" {
  secret_key = "MY_AWS_SECRET_KEY"
  token = "MY_AWS_SECURITY_TOKEN"
}
[~/terraform]$ env | grep AWS
AWS_ACCESS_KEY_ID=MY_AWS_ACCESS_KEY
[~/terraform]$ terraform plan
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: 

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.

Error refreshing state: 1 error(s) occurred:

* 1 error(s) occurred:

* No valid credential sources found for AWS Provider.
  Please see https://terraform.io/docs/providers/aws/index.html for more information on
  providing credentials for the AWS Provider

Test 4 - All in the provider declaration

[~/terraform]$ cat main.tf 
provider "aws" {
  access_key = "MY_AWS_ACCESS_KEY"
  secret_key = "MY_AWS_SECRET_KEY"
  token = "MY_AWS_SECURITY_TOKEN"
}
[~/terraform]$ env | grep AWS
[~/terraform]$ terraform plan
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: 

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.


The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
. . . . .

I think this may somehow be environment related: 

[~/terraform]$ env
LANG=en_US.UTF-8
LC_CTYPE=en_US.UTF-8
LESS=-R
PWD=/Users/<username>/terraform
SHELL=/bin/zsh
SHLVL=2
TERM=screen-256color
TERM_PROGRAM=Apple_Terminal
TERM_PROGRAM_VERSION=343.7
TMUX=/private/var/folders/XXXXXXXXXXXXXXXXXXXXXXXXXX/T/tmux-XXXXXXXXXX/default,3048,0
TMUX_PANE=%0
VIRTUAL_ENV_DISABLE_PROMPT=1
XPC_FLAGS=0x0
XPC_SERVICE_NAME=0
ZSH=/Users/<username>/.oh-my-zsh
ZSH_TMUX_TERM=screen-256color
_=/usr/bin/env
. . . . .

Expected Behavior

Would expect environment variables to be picked up

Actual Behavior

They weren't.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan

Important Factoids

See environment settings above - some have been cleaned for security reasons.

bug provideaws
Source
picture andrew-sledge

Most helpful comment

Significant issue in the documentation where it actually never explains where TF_VAR_ needs to exist to be read. After working on this abit it is clear this functionality simply doesn't function (at least on Windows). Is there an update to a fix for this?

picture jkpindahbc on 15 Feb 2017
👍17

All 8 comments

when reading the documentation for the aws provider I see that access_key and secret_key are optional and looks like as they will be read from the environment variable if left out.

martin-flaregames picture martin-flaregames on 1 Sep 2016

@martin-flaregames that's very true. But they aren't being recognized (see test 2).

andrew-sledge picture andrew-sledge on 1 Sep 2016

The documentation is contradictory in that point, it states that the region is required, so you must declare it.

My preferred way of doing this is by creating a terraform.tfvars file which I just ignore in .gitignore/.hgignore and it looks like this

aws_access_key = "asjgfjsgf123123sfgjs"
aws_secret_key = "2631jh2g4jh23g45kh2g45k2jh3g45kj2h3g45g4"
aws_region = "us-east-1"

then I just put this all together in the .tf file like this:

variable "aws_access_key" {}
variable "aws_secret_key" {}
variable "aws_region" {}

provider "aws" {
    access_key = "${var.aws_access_key}"
    secret_key = "${var.aws_secret_key}"
    region = "${var.aws_region}"
}

Somehow I would prefer this declarative way over environment variables. But this is not what you are asking for right now.

martin-flaregames picture martin-flaregames on 1 Sep 2016

I am experiencing a similar issue using variables defined like variable "blah" {} in my .tf file and trying to set an environment variable called TF_VAR_blah. If I change the environment to TF_VAR_blahh and run terraform plan, it tells me to enter a value for var.blah so I know it is at least trying to read the environment variable. But it doesn't seem to use it.

I am on 0.7.1

alvin-huang picture alvin-huang on 1 Sep 2016

With v0.7.6 (CentOS 7.2) the AWS access/secret key environment variables are recognized successfully.
Please check and confirm.

Constantin07 picture Constantin07 on 15 Oct 2016

I thought I ran into this same issue when trying to use environment variables set by a shell script...turns out I forgot to export them. Not sure if there's a separate problem going on here, but just in case anyone else stumbling on this thread made the same mistake.

afeld picture afeld on 28 Nov 2016

Significant issue in the documentation where it actually never explains where TF_VAR_ needs to exist to be read. After working on this abit it is clear this functionality simply doesn't function (at least on Windows). Is there an update to a fix for this?

jkpindahbc picture jkpindahbc on 15 Feb 2017
👍17

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 10 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sprokopiak picture sprokopiak  ยท  3Comments
ketzacoatl picture ketzacoatl  ยท  3Comments
franklinwise picture franklinwise  ยท  3Comments
rnowosielski picture rnowosielski  ยท  3Comments
c4milo picture c4milo  ยท  3Comments