Vault Provider - auth_login_aws does not use environment variables for AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_SESSION_TOKEN

[whathelll]

I've got these environment variables defined:

• AWS_SECRET_ACCESS_KEY
• AWS_ACCESS_KEY_ID
• AWS_SESSION_TOKEN

Terraform Version

v1.3.7

Affected Resource(s)

Vault Provider 3.12

Terraform Configuration Files

terraform {
  required_providers {
    vault = {
      source = "hashicorp/vault"
    }
  }
}

provider "vault" {
  address = var.VAULT_ADDR

  auth_login_aws {
    namespace = "admin"
    role      = "myrole"
  }
}

Debug Output

https://gist.github.com/whathelll/9b97fefda12ec2e428617bf52bdc6458

Expected Behavior

it should use the environment variables to authenticate with vault

Actual Behavior

│ Error: Missing required argument
│ 
│   with provider["registry.terraform.io/hashicorp/vault"],
│   on main.tf line 13, in provider "vault":
│   13:   auth_login_aws {
│ 
│ "auth_login_aws.0.aws_secret_access_key": all of `auth_login_aws.0.aws_access_key_id,auth_login_aws.0.aws_secret_access_key` must be specified

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan

Important Factoids

References

If I use auth_login instead of auth_login_aws, it will pick up the environment variables.

[thoreinstein]

We too are seeing this same exact issue.

[ohcnkk]

Having same in GitHub Actions self-hosted runner running on ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20230112.

[alexanderchadwick]

I've got the same issue. Currently working around by using the auth_login block:

provider "vault" {

  address = "https://${var.address}"

  # auth_login_aws {
  #   mount        = "aws"
  #   role         = var.aws_auth_vault_role
  #   header_value = var.address
  # }

  auth_login {
    path   = "/auth/aws/login"
    method = "aws"
    parameters = {
      role         = var.aws_auth_vault_role
      header_value = var.address
    }
  }
}

[gautamg795]

@alexanderchadwick I suppose there's no way to specify which IAM role to assume when using that approach, right?
(I'd use the auth_login_aws[0].aws_role_arn parameter if it weren't for this bug, but I'm not sure the workaround supports this)

[Conacious]

Having the same issue, I can't assume a role with the auth_login_aws, it is just broken. Any updates on this?

[dmikalova]

The auth_login {} trick doesn't work if you want to use the sts role switching feature (ie auth_login_aws { aws_role_arn = $ROLE })

[marthinuskr]

Is there any update on this? This is quite an annoying issue to get around.

[mspolitaev]

Same problem, are you guys have plan to make auth_login_aws more useful? Really waiting for support SSO creds and ability assume role via aws_role_arn.