[Bug]: ECS Container credentials are not working

[womblep]

Terraform Core Version

1.4.4

AWS Provider Version

4.61.0

Affected Resource(s)

Any resource. The credentials available as a Task role on ECS FARGATE are not being detected by terraform. I have tried with environment variables as well as shared config file. AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is not being detected

Expected Behavior

terraform should run using the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI to determine the task role

Actual Behavior

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: configuring Terraform AWS Provider: loading configuration: EcsContainer was specified as the credential_source, but 'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI' was not set
│
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on test.tf line 10, in provider "aws":
│   10: provider "aws" {
│
╵

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

Anything in <> is removed for security

test.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

provider "aws" {
  region = "ap-southeast-2"
}

data "aws_caller_identity" "current" {}

resource "aws_ssm_parameter" "image" {
  name  = "test-is-a-test"
  type  = "String"
  value = "this is a value"
  overwrite = true
}

~/.aws/config

[default]
region = ap-southeast-2
credential_source = EcsContainer
role_arn = arn:aws:iam::<account>:role/<rolename>

environment

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI='/v2/credentials/<uuid>'
AWS_DEFAULT_REGION='ap-southeast-2'
AWS_EXECUTION_ENV='AWS_ECS_FARGATE'
AWS_REGION='ap-southeast-2'

Steps to Reproduce

terraform plan

output is:

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: configuring Terraform AWS Provider: loading configuration: EcsContainer was specified as the credential_source, but 'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI' was not set
│
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on test.tf line 10, in provider "aws":
│   10: provider "aws" {
│
╵

But AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set

Debug Output

https://gist.github.com/womblep/37e1d8a576157079cbd98752653c219d

Panic Output

No response

Important Factoids

It also doesnt pick up AWS_CONTAINER_CREDENTIALS_RELATIVE_URI natively without the ~/.aws/config file which the documentation suggests it should. Instead it fails by not finding the EC2 profile suggesting that it skipped AWS_CONTAINER_CREDENTIALS_RELATIVE_URI completely

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[joeythomaschaske]

Any work around on this?

[Parkalla]

Would also be interested in a workaround or fix. This happend for me on CodeCatalyst when using the workers Role to execute Terraform with named profiles in the shared profile config file. While I can run aws cli commands with the named profiles without problems, with Terraform this fails.

[rkubik-hostersi]

I'm facing the same issue when working on EKS Pod Identity with terraform running from within.