search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.17k forks source link

[Bug]: Cannot use AWS SSO to configure management account. #28037

Open macnibblet opened 1 year ago

macnibblet commented 1 year ago

Terraform Core Version

1.3.5

AWS Provider Version

4.41.0

Affected Resource(s)

No response

Expected Behavior

I wanted to start managing the "management account using terraform, and I needed to add another account, so I thought that I would start by adding in through terraform.

provider "aws" {
  profile = "management"
}

// This was actually a call to create an account but for simplicity even calling this fails
data "aws_caller_identity" "this" {
}

And calling this locally using the aws cli aws sts get-caller-identity works just fine as well.

Actual Behavior

Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: e0a9eb7a-fba9-49cb-a122-0f21f85f19a5, api error InvalidClientTokenId: The security token included in the request is invalid.

Relevant Error/Panic Output Snippet

Did some debugging and it seems that when calling via terraform using an AWS SSO profile the `sts get-caller-identity` always fails, changing my profile to target another account works just fine.

Terraform Configuration Files

provider "aws" {}

data "aws_caller_identity" "this" {

}

Steps to Reproduce

Set up AWS SSO with a user that has AdminAccess on the management account

try to run the following terraform against that profile

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue