Add support in TF file configuration for assuming roles via profiles defined in ~/.aws/config

aws/config.go

@@ -232,44 +232,63 @@ func (c *Config) Client() (interface{}, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	// define the AWS Session options
+	// Credentials or Profile will be set in the Options below
+	// MaxRetries may be set once we validate credentials
+	var opt = session.Options{
+		Config: aws.Config{
+			Region:           aws.String(c.Region),
+			MaxRetries:       aws.Int(0),
+			HTTPClient:       cleanhttp.DefaultClient(),
+			S3ForcePathStyle: aws.Bool(c.S3ForcePathStyle),
+		},
+	}
+
 	// Call Get to check for credential provider. If nothing found, we'll get an
 	// error, and we can present it nicely to the user
 	cp, err := creds.Get()
 	if err != nil {
 		if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {
-			return nil, errors.New(`No valid credential sources found for AWS Provider.
+			// If a profile wasn't specified then error out
+			if c.Profile == "" {
+				return nil, errors.New(`No valid credential sources found for AWS Provider.
   Please see https://terraform.io/docs/providers/aws/index.html for more information on
   providing credentials for the AWS Provider`)
+			}
+			// add the profile and enable share config file usage
+			log.Printf("[INFO] AWS Auth using Profile: %q", c.Profile)
+			opt.Profile = c.Profile
+			opt.SharedConfigState = session.SharedConfigEnable
+		} else {
+			return nil, fmt.Errorf("Error loading credentials for AWS Provider: %s", err)
 		}
-
-		return nil, fmt.Errorf("Error loading credentials for AWS Provider: %s", err)
-	}
-
-	log.Printf("[INFO] AWS Auth provider used: %q", cp.ProviderName)
-
-	awsConfig := &aws.Config{
-		Credentials:      creds,
-		Region:           aws.String(c.Region),
-		MaxRetries:       aws.Int(c.MaxRetries),
-		HTTPClient:       cleanhttp.DefaultClient(),
-		S3ForcePathStyle: aws.Bool(c.S3ForcePathStyle),
+	} else {
+		// add the validated credentials to the session options
+		log.Printf("[INFO] AWS Auth provider used: %q", cp.ProviderName)
+		opt.Config.Credentials = creds
 	}
 
 	if logging.IsDebugOrHigher() {
-		awsConfig.LogLevel = aws.LogLevel(aws.LogDebugWithHTTPBody | aws.LogDebugWithRequestRetries | aws.LogDebugWithRequestErrors)
-		awsConfig.Logger = awsLogger{}
+		opt.Config.LogLevel = aws.LogLevel(aws.LogDebugWithHTTPBody | aws.LogDebugWithRequestRetries | aws.LogDebugWithRequestErrors)
+		opt.Config.Logger = awsLogger{}
 	}
 
 	if c.Insecure {
-		transport := awsConfig.HTTPClient.Transport.(*http.Transport)
+		transport := opt.Config.HTTPClient.Transport.(*http.Transport)
 		transport.TLSClientConfig = &tls.Config{
 			InsecureSkipVerify: true,
 		}
 	}
 
-	// Set up base session
-	sess, err := session.NewSession(awsConfig)
+	// create base session with no retries. MaxRetries will be set later
+	sess, err := session.NewSessionWithOptions(opt)
 	if err != nil {
+		if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == "NoCredentialProviders" {
+			return nil, errors.New(`No valid credential sources found for AWS Provider.
+  Please see https://terraform.io/docs/providers/aws/index.html for more information on
+  providing credentials for the AWS Provider`)
+		}
 		return nil, errwrap.Wrapf("Error creating AWS session: {{err}}", err)
 	}
 
@@ -279,6 +298,11 @@ func (c *Config) Client() (interface{}, error) {
 		sess.Handlers.UnmarshalError.PushFrontNamed(debugAuthFailure)
 	}
 
+	// if the desired number of retries is non-zero, update the session
+	if c.MaxRetries > 0 {
+		sess = sess.Copy(&aws.Config{MaxRetries: aws.Int(c.MaxRetries)})
+	}
+
 	// This restriction should only be used for Route53 sessions.
 	// Other resources that have restrictions should allow the API to fail, rather
 	// than Terraform abstracting the region for the user. This can lead to breaking