Provider is able to use the environment variable AWS_WEB_IDENTITY_TOKEN_FILE to obtain the path to a file containing a JWT token.
Actual Behavior
The provider does not use the environment variable as errors out due to a validation failure.
Relevant Error/Panic Output Snippet
│ Error: Invalid combination of arguments
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on provider.tf line 38, in provider "aws":
│ 38: assume_role_with_web_identity {
│
│ "assume_role_with_web_identity.0.web_identity_token_file": one of
│ `assume_role_with_web_identity.0.web_identity_token,assume_role_with_web_identity.0.web_identity_token_file`
│ must be specified
╵
Create a role in AWS with a trust policy allowing a web identity to assume the role
Obtain an identity token for the web identity permitted by the trust policy and store it in a file
Set the environment variable AWS_WEB_IDENTITY_TOKEN_FILE with the path to the file
Configure the aws provider to with the assume_role_with_web_identity block and provide the ARN for the role created earlier as role_arn inside that block
Attempt a terraform operation (such as a plan) that would authenticate to AWS
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Terraform Core Version
1.8.3
AWS Provider Version
5.48.0
Affected Resource(s)
Provider configuration
Expected Behavior
Provider is able to use the environment variable
AWS_WEB_IDENTITY_TOKEN_FILE
to obtain the path to a file containing a JWT token.Actual Behavior
The provider does not use the environment variable as errors out due to a validation failure.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Example affected configuration:
Steps to Reproduce
AWS_WEB_IDENTITY_TOKEN_FILE
with the path to the fileassume_role_with_web_identity
block and provide the ARN for the role created earlier asrole_arn
inside that blockDebug Output
No response
Panic Output
No response
Important Factoids
No response
References
Per: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role-with-web-identity-configuration-reference The environment variable
AWS_WEB_IDENTITY_TOKEN_FILE
can be set to provide the path to a file containing the identity token.The validation code: https://github.com/hashicorp/terraform-provider-aws/blob/fbad5d3b00f58789b2b70fc6188ea240f1191e49/internal/provider/provider.go#L718 requires that EITHER
web_identity_token
orweb_identity_token_file
to be set as part of the provider configuration.Would you like to implement a fix?
None