aws_caller_identity data source fails when using STS credentials

hashibot commented 7 years ago

This issue was originally opened by @devinsba as hashicorp/terraform#10226. It was migrated here as part of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.7.10

Affected Resource(s)

data.aws_caller_identity

Terraform Configuration Files

data "aws_caller_identity" "current" { }

output "account_id" {
  value = "${data.aws_caller_identity.current.account_id}"
}

Debug Output

2016/11/18 14:26:31 [DEBUG] plugin: terraform: -----------------------------------------------------
2016/11/18 14:26:31 [DEBUG] plugin: terraform: aws-provider (internal) 2016/11/18 14:26:31 [DEBUG] [aws-sdk-go] DEBUG: Response iam/GetUser Details:
2016/11/18 14:26:31 [DEBUG] plugin: terraform: ---[ RESPONSE ]--------------------------------------
2016/11/18 14:26:31 [DEBUG] plugin: terraform: HTTP/1.1 403 Forbidden
2016/11/18 14:26:31 [DEBUG] plugin: terraform: Connection: close
2016/11/18 14:26:31 [DEBUG] plugin: terraform: Content-Length: 305
2016/11/18 14:26:31 [DEBUG] plugin: terraform: Content-Type: text/xml
2016/11/18 14:26:31 [DEBUG] plugin: terraform: Date: Fri, 18 Nov 2016 19:26:31 GMT
2016/11/18 14:26:31 [DEBUG] plugin: terraform: X-Amzn-Requestid: e9110237-adc4-11e6-92e0-8b00d85af153
2016/11/18 14:26:31 [DEBUG] plugin: terraform:
2016/11/18 14:26:31 [DEBUG] plugin: terraform: <ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
2016/11/18 14:26:31 [DEBUG] plugin: terraform:   <Error>
2016/11/18 14:26:31 [DEBUG] plugin: terraform:     <Type>Sender</Type>
2016/11/18 14:26:31 [DEBUG] plugin: terraform:     <Code>InvalidClientTokenId</Code>
2016/11/18 14:26:31 [DEBUG] plugin: terraform:     <Message>The security token included in the request is invalid</Message>
2016/11/18 14:26:31 [DEBUG] plugin: terraform:   </Error>
2016/11/18 14:26:31 [DEBUG] plugin: terraform:   <RequestId>e9110237-adc4-11e6-92e0-8b00d85af153</RequestId>
2016/11/18 14:26:31 [DEBUG] plugin: terraform: </ErrorResponse>
2016/11/18 14:26:31 [DEBUG] plugin: terraform:
2016/11/18 14:26:31 [DEBUG] plugin: terraform: -----------------------------------------------------

Important Factoids

We have some tight ACLs, wondering if theres a way to get this without access to the IAM endpoints

bflad commented 6 years ago

The current provider initialization process almost always reaches out to STS/IAM to try to determine the current account ID since there is no way to determine it from the credentials themselves (unless its something like an assume role ARN in the provider configuration). We provide a provider configuration to skip this fetch, however there are a lot of resources that require this account ID to already be configured in the provider for manually building ARN attributes that the AWS API does not return.

There are definitely varying use cases when dealing with multiple AWS accounts for which aws_caller_identity might be extraneous with its extra STS API call. Could you explain your use cases here so we have a better sense of how to help?

That said, I have some ideas here from when I was working with multiple AWS accounts myself that could be implemented in the provider to help for these situations:

Provide an aws_account_id data source, that solely returns the AWS account ID already determined from the provider configuration without an extra STS API call for the data source itself. The ID might have already been determined from something like EC2/ECS metadata.
Including an account_id or aws_account_id attribute on specific resources or as a meta-attribute across all attributes of the provider, then you can grab these from output/terraform_remote_state as necessary.

In the end, its likely the second option above that would provide the best user experience since it offers the value easily for downstream resources/modules. Feedback would be appreciated. 😄

simonvanderveldt commented 6 years ago

@bflad I was looking for the proper way to get the AWS account ID as well, in this case we're using assume_role and I want the account id matching with the assumed role. To me a data source sounds like the most obvious way to get this info.

Also, I'm not sure if it wouldn't already be possible to get this from https://www.terraform.io/docs/providers/aws/d/caller_identity.html, haven't tried which account ID it returns.

github-actions[bot] commented 4 years ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

simonvanderveldt commented 4 years ago

Don't think this has been fixed/addressed yet?

vkoukoutsas commented 4 years ago

Facing the same issue. Is there a workaround for this or a way to hard code the account id?

github-actions[bot] commented 2 years ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

oniGino commented 2 years ago

we are having this same issue here, please fix aws_caller_identity

dimisjim commented 2 years ago

EDIT: found a workaround by doing:

data "external" "get-caller-identity" {
  program = ["aws", "sts", "get-caller-identity"]
}

locals {
  callerArn = data.external.get-caller-identity.result.Arn
}

hashicorp / terraform-provider-aws