[Bug]:Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum │ number of attempts, 3, request send failed

[mq3274]

Terraform Core Version

1.9.3

AWS Provider Version

5.64.0

Affected Resource(s)

No response

Expected Behavior

Error: No valid credential sources found

Actual Behavior

Error: No valid credential sources found

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "5.64.0"
    }
  }

  backend "s3" {
    bucket = "my_terra_bucket_001"
    key    = "key/terraform.tfstate"
    region = "ap-south-1"
  }
}

provider "aws" {

  region     = "ap-south-1"
  access_key = "*****************"
  secret_key = "***************************"
}

Steps to Reproduce

suggest idea to resolve this issue

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @mq3274 👋 Thank you for taking the time to raise this! In my experience, this type of error message almost always comes from issues with the credentials supplied to the provider. Are you able to test the credentials with the aws CLI tool to verify they're working properly?

If the credentials are able to be validated, can you supply debug logs (redacted as needed) so that whoever picks this up has the necessary information in order to look into this?

[GabeCharpentier]

Hello, I am seeing this error too. In my case, I'm trying to use a saved credential profile with the AWS_PROFILE environment variable. AWS SDK and AWS CLI seem to be able to pick up the credentials just fine. Here is my terraform and provider blocks for reference:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "=5.65"
    }
  }

  backend "s3" {
    bucket         = "somebucket"
    region         = "us-east-1" 
    dynamodb_table = "tf-lock"
    key = "somefile.tfstate"
  }
}

provider "aws" {
  region = local.Region
  default_tags {
    tags = module.tags.tags
  }
}

Here is my redacted profile:

[profile my-profile]
sso_account_id=myAccountId
sso_region=us-east-1
sso_registration_scopes=sso:account:access
sso_role_name=myRoleName
sso_start_url=https://someid.awsapps.com/start/#

The error seems to suggest an attempt at refreshing the credentials. This is a bit perplexing given they are not expired when I run the command. I can view them in ~/.aws/sso/cache/<someId>.json.

Here is the full redacted error:

Error: No valid credential sources found
   │
   │ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
   │ for more information about providing credentials.
   │
   │ Error: failed to refresh cached credentials, operation error SSO:
   │ GetRoleCredentials, exceeded maximum number of attempts, 3, https response
   │ error StatusCode: 0, RequestID: , request send failed, Get
   │ "https://portal.sso.us-east-1.amazonaws.com/federation/credentials?account_id=myAccountId&role_name=myRoleName":
   │ dial tcp: lookup portal.sso.us-east-1.amazonaws.com: getaddrinfow: A
   │ non-recoverable error occurred during a database lookup.

My platform is Windows 10.

Before attempting this I had been using environment variables to pass the key id, secret, and session token.