Terraform: Credentials Helper trying to resolve credentials for registry.terraform.io in v0.13.0
Terraform Version
0.13.0
Terraform Configuration Files
The terraform setup its self uses this plugin (https://github.com/terraform-aws-modules/terraform-aws-rds-aurora) to build an aws aurora cluster. This aurora cluster uses the hashicorp/random plugin.
terraform {
backend "remote" {
hostname = "app.terraform.io"
organization = "my-organisation"
workspaces {
prefix = "my-project-"
}
}
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.2"
}
}
}
...
Debug Output
terraform init ./terraform
Initializing modules...
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/random versions matching "~> 2.2"...
- Finding hashicorp/aws versions matching "~> 3.2, >= 2.45.*, < 4.0.*"...
Error: Failed to query available provider packages
Could not retrieve the list of available versions for provider
hashicorp/random: failed to retrieve credentials for registry.terraform.io:
error in /root/.terraform.d/plugins/terraform-credentials-env_v1.0.0_x4: No
credentials for registry.terraform.io are defined via environment variables.
Crash Output
Expected Behavior
In terraform < 0.13.0 the credentials helper was never asked for credentials for registry.terraform.io.
Actual Behavior
Terraform attempted to use a credentials provider to get credentials for registry.terraform.io
Steps to Reproduce
Additional Context
We're using this credentials helper: https://github.com/apparentlymart/terraform-credentials-env
References
jralph
All 5 comments
I'm able to reproduce this issue, although I'm not sure what should be done about it.
There is a simple workaround: specifying an empty credentials block in your global configuration for the official registry will prevent Terraform asking your credentials helper for credentials. The relevant section of my configuration looks like this:
credentials "registry.terraform.io" {}
credentials_helper "env" {}
This still allows me to store and retrieve credentials for Terraform Cloud using the helper.
However, this doesn't seem like an ideal situation. We might want to consider putting the default registry host on a stoplist for credential lookups when installing providers, or maybe just update the credentials helper documentation with this workaround.
alisdair
on 20 Aug 2020
Hi @jralph!
For the purposes of this comment I'm wearing my "maintainer of terraform-credentials-env" hat rather than my "maintainer of Terraform CLI" hat, because what you've encountered here feels like a flaw in my credentials helper rather than in Terraform itself.
What changed in Terraform 0.13 here is that Terraform is now interacting with registries in manner that is consistent with the pre-existing _module_ registry protocol, which includes support for authentication. As you noted, the interaction with the public registry for provider installation was previously more of an implementation detail and so it skipped over these mechanisms largely as a result of being retrofitted into a pre-existing provider installation codepath as an interim step in v0.12.
If you had previously been trying to install Terraform _modules_ from registry.terraform.io then you would've encountered this problem all the way back in Terraform 0.11, when the credentials helper mechanism was introduced, because Terraform would already have been consulting the credentials helper for module installation credentials.
With all of that said, I think the root problem here is that terraform-credentials-env ought to treat an absent environment variable as "no credentials needed" rather than as an outright error, thus allowing you to use it to provide a token for app.terraform.io while leaving registry.terraform.io unauthenticated. I'd like to address this issue by releasing a new version of terraform-credentials-env that behaves in that way. Would you be okay with upgrading to a new version of the credentials helper?
Thanks for reporting this!
apparentlymart
on 21 Aug 2020
Hi @apparentlymart,
Thanks for the response! I'd be happy to update our version of terraform-credentials-env if you have a new release, that would be no problem at all and a good solution in my opinion!
jralph
on 21 Aug 2020
Hey guys, I'm coming here via https://github.com/bendrucker/terraform-credentials-keychain having noticed the same behavior in 0.13. When running Terraform commands that read credentials (e.g. init reading state from a backend), the credential helper can fail on get and Terraform will suppress the error and print:
Error: Required token could not be found
Run the following command to generate a token for app.terraform.io:
terraform login app.terraform.io
However, I found that printing valid JSON without a token ({}) and exiting 0 triggers the same helpful messaging when a token is required but also satisfies the credential request for registry.terraform.io.
So my approach will be to try to detect "not found" errors from the keyring and then return an empty object, while still printing other errors and exiting 1.
But that does seem to clash with the docs (https://www.terraform.io/docs/internals/credentials-helpers.html):
If it is unable to provide the requested credentials for any reason, it must print an end-user-oriented plain text error message to its stderr stream and then exit with a non-zero status code.
If the behavior I noted above with an empty object is intended it's probably worth including there.
bendrucker
on 15 Sep 2020
@bendrucker Thanks for the suggestion! I opened a couple of tiny related PRs.
(I have my own, less well-rounded Keychain credentials helper: alisdair/terraform-credentials-keychain. Glad to see yours!)
alisdair
on 15 Sep 2020
Related issues
sprokopiak
路
3Comments
ronnix
路
3Comments
rnowosielski
路
3Comments
cpoole
路
3Comments
pawelsawicz
路
3Comments