-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provider assume role block with profile no longer works with 3.26.0 #17353
Comments
Hi folks 👋 This particular error is from the AWS Go SDK we depend on:
Which was adjusted to include checking for SSO configuration in an AWS shared configuration profile with the support for SSO cached credentials in version 1.37.0 (released as part of Terraform AWS Provider version 3.26.0). If you have both This particular validation is being controlled by the AWS Go SDK, so it may be best to track or contribute to these conversations upstream for updates on whether this particular validation might be relaxed: |
Hi @bflad , Thanks for the update, however that's not the case for me. My profile contains only the secret key and key id, no sso. I do have other profiles in the same file that are sso, but not this one. Please see below ...
terraform config:
|
Here is a complete set of configs I have used to replicate the issue: provider "aws" {
region = "eu-west-1"
assume_role {
role_arn = "arn:aws:iam::XXXXX:role/XXXXXX"
}
}
data "aws_caller_identity" "current" {}
output "acc_id" {
value = data.aws_caller_identity.current.account_id
} ~/.aws/config
~/.aws/credentials
software versions:
Cheers, |
I could finally resolved this, updating to the latest GO version: https://golang.org/doc/install , "go version go1.15.7 linux/amd64" And everything is fine! No longer "Error: error configuring Terraform AWS Provider: error creating assume role session: SharedConfigErr: only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso" |
@martindcernadas You mean you updated go and built the aws provider plugin from source? |
sorry @martindcernadas please can you elaborate? I've just upgraded from 1.15.2 to 1.15.7_1 and it made no difference. I still receive the error. Cheers, |
Just to confirm - I can get this working by removing all "credential_process" lines from my profiles. However, I had an older version of awscli (v2.0.55). This was generating credentials with an invalid timestamp. (see here ) I upgraded to 2.1.24, re logged in and the timestamp issue disappeared. Therefore I guess this technically isn't an issue any more. HOWEVER, it should have come with a large warning that it needs the latest AWS CLI version to generate credentials with valid timestamps. |
This just bit me also. It definitely does not work to use a profile in the provider config that is based on Edit to add: This is still an issue in v3.68.0 Edit Edit: Haha, nevermind, something changed, but it was an interaction between a new aws provider version and an old module version. I updated the aws provider, and it stopped working with the old module version. Updated the module version, and now it works again. Good times! |
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Panic Output
Expected Behavior
Terraform should have used the profile to obtain a session and assumed the role specified in the assume_role block
Actual Behavior
Terraform plan and apply both fail with
Error: error configuring Terraform AWS Provider: error creating assume role session: SharedConfigErr: only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso
Steps to Reproduce
terraform init
will succeedterraform apply
will failImportant Factoids
This works on Provider version 3.25.0. It's broken in 3.26.0.
References
The text was updated successfully, but these errors were encountered: