[Bug]: AWS Profile not recognized: Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found

[EugenKon]

Terraform Core Version

v1.7.4

AWS Provider Version

v4.67.0

Affected Resource(s)

NA

Expected Behavior

The SSO session credentials should be used

Actual Behavior

AWS profile is not found

Relevant Error/Panic Output Snippet

terraform plan

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ AWS Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded
│
│
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on main.tf line 10, in provider "aws":
│   10: provider "aws" {
│
╵
╷
│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ AWS Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded
│
│
│   with provider["registry.terraform.io/hashicorp/aws"].west,
│   on s3.tf line 352, in provider "aws":
│  352: provider "aws" {

Terraform Configuration Files

provider "aws" {
  profile = "root-acc"
}

No AWS_* variables defined.

Steps to Reproduce

aws configure sso --profile root-acc
terraform plan                         <<<       you will get the error above
AWS_PROFILE=root-acc terraform plan    <<<   This command run successfully and "root-acc" profile is recognized as expected.

Please fix terraform to recognize profile option in the providers.tf configuration file:

provider "aws" {
  profile = "root-acc"
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

https://github.com/hashicorp/terraform-provider-aws/issues/18065 Probably related, but in that issue the author describes the provider usage in the module, but in my case the issue happened in the main.tf

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[danquack]

Hey @EugenKon. Are you able to validate your credential is logged in? Ive seen this before when I wasn't logged in:

➜ aws sso logout
➜ aws sts get-caller-identity --profile provider

Error loading SSO Token: Token for https://xxxxxxx.awsapps.com/start#/ does not exist
➜ terraform plan

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: No valid credential sources found
│ 
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on main.tf line 1, in provider "aws":
│    1: provider "aws" {
│ 
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, the SSO session has expired or is invalid: failed to read cached SSO token file, open
│ /$HOME/.aws/sso/cache/b1293aac03ea62722023c3d3c8cec64a24e0caa5.json: no such file or directory
│ 
╵
➜ cat main.tf 
provider "aws" {
  profile = "provider"
}

resource "aws_s3_bucket" "bucket" {
  bucket = "my-tf-test-bucket"
}

➜ aws sso login --profile provider
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

.....
➜ terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_s3_bucket.bucket will be created
  + resource "aws_s3_bucket" "bucket" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "my-tf-test-bucket"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

[EugenKon]

@danquack yes, I am logged in.

$ aws sts get-caller-identity --profile root-acc
{
    "UserId": "***",
    "Account": "***",
    "Arn": "arn:aws:sts::***bb7/e>
}

Please note, that I get error only when relaying on provider "aws" { profile = "root-acc" } configuration. If I set AWS profile via AWS_PROFILE environment variable, then the command works fine.

[justinretzolk]

Hey @EugenKon 👋 There were some changes related to authentication with v5 of the provider, which I seem to remember addressing some things like this (admittedly, I can't seem to find any of those issues at the moment). Are you able to test with a version in the 5.x series to see if those changes corrected this as well?

[EugenKon]

@justinretzolk It works better, but problem still exists. In my case plan is now executed:

$ terraform plan
...
Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may
have affected this plan:

  # aws_iam_group.walk-inside-RW has been deleted
...
Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using
ignore_changes, the following plan may include actions to undo or respond to these changes.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated
with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform planned the following actions, but then encountered a problem:
...
Plan: 6 to add, 6 to change, 5 to destroy.
╷
│ Warning: Failed to decode resource from state
│
│ Error decoding "aws_iam_role.replication-role-for-sw-plntr" from prior state: unsupported attribute
│ "role_last_used"
╵
╷
│ Warning: Failed to decode resource from state
│
│ Error decoding "aws_iam_role.iguides-plntr-ca-west-iguides" from prior state: unsupported attribute
│ "role_last_used"
╵
╷
│ Error: No valid credential sources found
│
│   with provider["registry.terraform.io/hashicorp/aws"].west,
│   on s3.tf line 352, in provider "aws":
│  352: provider "aws" {
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata,
│ exceeded maximum number of attempts, 3, request send failed, Get
│ "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect:
│ host is down
│

$ terraform version
Terraform v1.7.4
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v5.40.0

Still if I run command as AWS_PROFILE=root-acc terraform plan it is done successfully without any problems.

[justinretzolk]

That latest error looks a bit like #35693, so making the link between those. I don't have any further questions at this point, so I'll defer to whoever picks this one up for those.