[Bug]: Sts within a session to me-central-1 causing sts error.

[tomelliot16]

Terraform Core Version

1.9.3

AWS Provider Version

5.60.0

Affected Resource(s)

Seems like https://github.com/hashicorp/terraform-provider-aws/issues/28909 didn't fix the issue 100% unless i'm miss reading. This region has been enabled in the aws account so I don't see why this is breaking. This might also be a AWS issue with the sts regional endpoint but I was able with the same assumed role to get into the console within aws. This works with any other region.

Expected Behavior

The region is able to be accessed with terraform.

Actual Behavior

it failed with assume role error.

Relevant Error/Panic Output Snippet

➤  terraform init
Initializing the backend...
Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v5.60.0...
- Installed hashicorp/aws v5.60.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

➤  terraform apply
╷
│ Error: Retrieving AWS account details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: bc9f32ae-c5f2-4aad-ad19-b0c2a6bd8972, api error InvalidClientTokenId: The security token included in the request is invalid
│
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on main.tf line 1, in provider "aws":
│    1: provider "aws" {
│
╵

Terraform Configuration Files

provider "aws" {
  region  = "me-central-1"
}

data "aws_caller_identity" "test" {
}

Steps to Reproduce

• Store session locally
• Run terraform

Debug Output

2024-07-30T19:21:35.734-0400 [INFO]  Terraform version: 1.9.3
2024-07-30T19:21:35.735-0400 [DEBUG] using github.com/hashicorp/go-tfe v1.51.0
2024-07-30T19:21:35.735-0400 [DEBUG] using github.com/hashicorp/hcl/v2 v2.20.0
2024-07-30T19:21:35.735-0400 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2024-07-30T19:21:35.735-0400 [DEBUG] using github.com/zclconf/go-cty v1.14.4
2024-07-30T19:21:35.735-0400 [INFO]  Go runtime version: go1.22.5
2024-07-30T19:21:35.735-0400 [INFO]  CLI args: []string{"/usr/local/Cellar/tfenv/2.2.2/versions/1.9.3/terraform", "apply"}
2024-07-30T19:21:35.735-0400 [DEBUG] Attempting to open CLI config file: /Users/tom.elliot/.terraformrc
2024-07-30T19:21:35.735-0400 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2024-07-30T19:21:35.735-0400 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2024-07-30T19:21:35.735-0400 [DEBUG] ignoring non-existing provider search directory /Users/tom.elliot/.terraform.d/plugins
2024-07-30T19:21:35.735-0400 [DEBUG] ignoring non-existing provider search directory /Users/tom.elliot/Library/Application Support/io.terraform/plugins
2024-07-30T19:21:35.735-0400 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2024-07-30T19:21:35.735-0400 [INFO]  CLI command args: []string{"apply"}
2024-07-30T19:21:36.990-0400 [DEBUG] checking for provisioner in "."
2024-07-30T19:21:36.990-0400 [DEBUG] checking for provisioner in "/usr/local/Cellar/tfenv/2.2.2/versions/1.9.3"
2024-07-30T19:21:36.990-0400 [INFO]  backend/local: starting Apply operation
2024-07-30T19:21:36.995-0400 [DEBUG] created provider logger: level=debug
2024-07-30T19:21:36.995-0400 [INFO]  provider: configuring client automatic mTLS
2024-07-30T19:21:37.006-0400 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5 args=[".terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5"]
2024-07-30T19:21:37.056-0400 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5 pid=90333
2024-07-30T19:21:37.057-0400 [DEBUG] provider: waiting for RPC address: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5
2024-07-30T19:21:37.331-0400 [INFO]  provider.terraform-provider-aws_v5.60.0_x5: configuring server automatic mTLS: timestamp=2024-07-30T19:21:37.331-0400
2024-07-30T19:21:37.343-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: plugin address: address=/var/folders/gg/w223zx_x3y76x65fk8mytgy40000gp/T/plugin2023798273 network=unix timestamp=2024-07-30T19:21:37.342-0400
2024-07-30T19:21:37.343-0400 [DEBUG] provider: using plugin: version=5
2024-07-30T19:21:37.973-0400 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-07-30T19:21:37.985-0400 [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5 id=90333
2024-07-30T19:21:37.985-0400 [DEBUG] provider: plugin exited
2024-07-30T19:21:37.985-0400 [DEBUG] Building and walking validate graph
2024-07-30T19:21:37.985-0400 [DEBUG] ProviderTransformer: "data.aws_caller_identity.test" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2024-07-30T19:21:37.986-0400 [DEBUG] ReferenceTransformer: "data.aws_caller_identity.test" references: []
2024-07-30T19:21:37.986-0400 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2024-07-30T19:21:37.986-0400 [DEBUG] Starting graph walk: walkValidate
2024-07-30T19:21:37.986-0400 [DEBUG] created provider logger: level=debug
2024-07-30T19:21:37.986-0400 [INFO]  provider: configuring client automatic mTLS
2024-07-30T19:21:37.990-0400 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5 args=[".terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5"]
2024-07-30T19:21:38.037-0400 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5 pid=90349
2024-07-30T19:21:38.038-0400 [DEBUG] provider: waiting for RPC address: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5
2024-07-30T19:21:38.290-0400 [INFO]  provider.terraform-provider-aws_v5.60.0_x5: configuring server automatic mTLS: timestamp=2024-07-30T19:21:38.290-0400
2024-07-30T19:21:38.299-0400 [DEBUG] provider: using plugin: version=5
2024-07-30T19:21:38.299-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: plugin address: address=/var/folders/gg/w223zx_x3y76x65fk8mytgy40000gp/T/plugin3709721484 network=unix timestamp=2024-07-30T19:21:38.299-0400
2024-07-30T19:21:38.404-0400 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-07-30T19:21:38.414-0400 [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5 id=90349
2024-07-30T19:21:38.414-0400 [DEBUG] provider: plugin exited
2024-07-30T19:21:38.414-0400 [INFO]  backend/local: apply calling Plan
2024-07-30T19:21:38.414-0400 [DEBUG] Building and walking plan graph for NormalMode
2024-07-30T19:21:38.415-0400 [DEBUG] ProviderTransformer: "data.aws_caller_identity.test (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2024-07-30T19:21:38.415-0400 [DEBUG] ReferenceTransformer: "data.aws_caller_identity.test (expand)" references: []
2024-07-30T19:21:38.415-0400 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2024-07-30T19:21:38.415-0400 [DEBUG] Starting graph walk: walkPlan
2024-07-30T19:21:38.415-0400 [DEBUG] created provider logger: level=debug
2024-07-30T19:21:38.415-0400 [INFO]  provider: configuring client automatic mTLS
2024-07-30T19:21:38.420-0400 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5 args=[".terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5"]
2024-07-30T19:21:38.469-0400 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5 pid=90354
2024-07-30T19:21:38.469-0400 [DEBUG] provider: waiting for RPC address: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5
2024-07-30T19:21:38.727-0400 [INFO]  provider.terraform-provider-aws_v5.60.0_x5: configuring server automatic mTLS: timestamp=2024-07-30T19:21:38.727-0400
2024-07-30T19:21:38.738-0400 [DEBUG] provider: using plugin: version=5
2024-07-30T19:21:38.738-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: plugin address: address=/var/folders/gg/w223zx_x3y76x65fk8mytgy40000gp/T/plugin1779588742 network=unix timestamp=2024-07-30T19:21:38.738-0400
2024-07-30T19:21:38.836-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: Configuring Terraform AWS Provider: @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:147 @module=aws tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 tf_rpc=ConfigureProvider timestamp=2024-07-30T19:21:38.836-0400
2024-07-30T19:21:38.836-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: Resolving credentials provider: tf_mux_provider="*schema.GRPCProviderServer" tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:47 @module=aws.aws-base tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp=2024-07-30T19:21:38.836-0400
2024-07-30T19:21:38.836-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: Loading configuration: tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 tf_rpc=ConfigureProvider tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:47 @module=aws.aws-base timestamp=2024-07-30T19:21:38.836-0400
2024-07-30T19:21:38.839-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: Retrieving credentials: @module=aws.aws-base tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:47 timestamp=2024-07-30T19:21:38.839-0400
2024-07-30T19:21:38.839-0400 [INFO]  provider.terraform-provider-aws_v5.60.0_x5: Retrieved credentials: tf_mux_provider="*schema.GRPCProviderServer" @module=aws.aws-base tf_aws.credentials_source=EnvConfigCredentials tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:39 timestamp=2024-07-30T19:21:38.839-0400
2024-07-30T19:21:38.839-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: Loading configuration: tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:47 @module=aws.aws-base tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 timestamp=2024-07-30T19:21:38.839-0400
2024-07-30T19:21:38.839-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: Creating AWS SDK v1 session: tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:171 @module=aws tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 timestamp=2024-07-30T19:21:38.839-0400
2024-07-30T19:21:38.840-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: Retrieving AWS account details: @caller=github.com/hashicorp/terraform-provider-aws/internal/conns/config.go:186 @module=aws tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 timestamp=2024-07-30T19:21:38.840-0400
2024-07-30T19:21:38.840-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: Retrieving caller identity from STS: @module=aws.aws-base tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:47 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider timestamp=2024-07-30T19:21:38.840-0400
2024-07-30T19:21:38.841-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: HTTP Request Sent: rpc.system=aws-api tf_provider_addr=registry.terraform.io/hashicorp/aws rpc.method=GetCallerIdentity tf_aws.sdk=aws-sdk-go-v2 tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 aws.region=me-central-1 http.method=POST http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************O7YR/20240730/me-central-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=*****" http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.9.3 (+https://www.terraform.io) terraform-provider-aws/5.60.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.30.3 os/macos lang/go#1.22.5 md/GOOS#darwin md/GOARCH#amd64 api/sts#1.30.3" tf_rpc=ConfigureProvider
  http.request.body=
  | Action=GetCallerIdentity&Version=2011-06-15
   http.request.header.x_amz_date=20240730T232138Z http.request.header.x_amz_security_token="*****" http.url=https://sts.me-central-1.amazonaws.com/ http.request.header.content_type=application/x-www-form-urlencoded http.request_content_length=43 net.peer.name=sts.me-central-1.amazonaws.com tf_mux_provider="*schema.GRPCProviderServer" http.request.header.amz_sdk_request="attempt=1; max=25" @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:47 @module=aws.aws-base http.request.header.amz_sdk_invocation_id=ac0e927e-7e53-4dc1-a5fb-7cc0f7bfcfdc rpc.service=STS tf_aws.signing_region="" timestamp=2024-07-30T19:21:38.841-0400
2024-07-30T19:21:39.727-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: HTTP Response Received: @module=aws.aws-base aws.region=me-central-1
  http.response.body=
  | <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  |   <Error>
  |     <Type>Sender</Type>
  |     <Code>InvalidClientTokenId</Code>
  |     <Message>The security token included in the request is invalid</Message>
  |   </Error>
  |   <RequestId>5ec86bdf-08d2-4b9b-b7bf-5d4089165aea</RequestId>
  | </ErrorResponse>
   http.response.header.date="Tue, 30 Jul 2024 23:21:39 GMT" rpc.system=aws-api tf_aws.sdk=aws-sdk-go-v2 tf_aws.signing_region="" http.duration=885 http.response.header.content_type=text/xml http.response_content_length=305 tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 http.response.header.x_amzn_requestid=5ec86bdf-08d2-4b9b-b7bf-5d4089165aea rpc.method=GetCallerIdentity tf_mux_provider="*schema.GRPCProviderServer" @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:47 http.status_code=403 rpc.service=STS tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider timestamp=2024-07-30T19:21:39.727-0400
2024-07-30T19:21:39.727-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: request failed with unretryable error https response error StatusCode: 403, RequestID: 5ec86bdf-08d2-4b9b-b7bf-5d4089165aea, api error InvalidClientTokenId: The security token included in the request is invalid: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:47 rpc.method=GetCallerIdentity rpc.system=aws-api tf_provider_addr=registry.terraform.io/hashicorp/aws aws.region=me-central-1 @module=aws.aws-base rpc.service=STS tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 tf_aws.sdk=aws-sdk-go-v2 tf_rpc=ConfigureProvider timestamp=2024-07-30T19:21:39.727-0400
2024-07-30T19:21:39.727-0400 [DEBUG] provider.terraform-provider-aws_v5.60.0_x5: Unable to retrieve caller identity from STS: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.54/logging/tf_logger.go:47 @module=aws.aws-base error="operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 5ec86bdf-08d2-4b9b-b7bf-5d4089165aea, api error InvalidClientTokenId: The security token included in the request is invalid" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 tf_rpc=ConfigureProvider timestamp=2024-07-30T19:21:39.727-0400
2024-07-30T19:21:39.727-0400 [ERROR] provider.terraform-provider-aws_v5.60.0_x5: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.23.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_severity=ERROR tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=af78a387-f469-39e3-2647-a3ef2a3b1655 @module=sdk.proto diagnostic_detail="" diagnostic_summary="Retrieving AWS account details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 5ec86bdf-08d2-4b9b-b7bf-5d4089165aea, api error InvalidClientTokenId: The security token included in the request is invalid" tf_proto_version=5.6 tf_rpc=Configure timestamp=2024-07-30T19:21:39.727-0400
2024-07-30T19:21:39.728-0400 [ERROR] vertex "provider[\"registry.terraform.io/hashicorp/aws\"]" error: Retrieving AWS account details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 5ec86bdf-08d2-4b9b-b7bf-5d4089165aea, api error InvalidClientTokenId: The security token included in the request is invalid
2024-07-30T19:21:39.728-0400 [WARN]  Planning encountered errors, so plan is not applyable
╷
│ Error: Retrieving AWS account details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 5ec86bdf-08d2-4b9b-b7bf-5d4089165aea, api error InvalidClientTokenId: The security token included in the request is invalid
│
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on main.tf line 1, in provider "aws":
│    1: provider "aws" {
│
╵
2024-07-30T19:21:39.730-0400 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-07-30T19:21:39.742-0400 [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/5.60.0/darwin_amd64/terraform-provider-aws_v5.60.0_x5 id=90354
2024-07-30T19:21:39.742-0400 [DEBUG] provider: plugin exited

Panic Output

No response

Important Factoids

I am using a central aws account that I mfa with. I run a command locally called assume-role assume-role $PROFILE zsh this puts the terraform account I'm assuming into my session environment. like

 ➤  env | grep AWS
AWS_ACCESS_KEY_ID=HIDDEN
AWS_SECRET_ACCESS_KEY=HIDDEN
AWS_SESSION_TOKEN=HIDDEN
AWS_SECURITY_TOKEN=HIDDEN

The role I'm assuming into is an admin role so there are no limitations there.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[tomelliot16]

I reached out to AWS support and it might be account setup where the source account needs that region enabled. I'm going to try that and will close if that is the issue.

[justinretzolk]

Hey @tomelliot16 👋 Thank you for taking the time to raise this, and for the follow up! We'll wait to hear back, but with it being a 403 error, I think you're on the right track looking more at the credentials/AWS side of things.

As a troubleshooting step, I often like to try issuing a similar command from the AWS CLI (in this case get-caller-identity) to see if I can reproduce outside of Terraform. That may be worth testing as well.

[tomelliot16]

@justinretzolk So looks like this is an issue with STS token being version 1 and not version 2 which is supported in all regions including new ones. Thanks for the quick response. If anyone hits this for new regions tell them to just enable set the sts token to version 2 within the account.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.