[version 1.44] No valid credential sources found for AWS Provider

cullenmcdermott commented 5 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.10.8

Affected Resource(s)

provider.aws

Terraform Configuration Files

provider "aws" {
  region = "${var.region}"
}

Output

       Error: Error refreshing state: 1 error(s) occurred:

       * provider.aws: No valid credential sources found for AWS Provider.
        Please see https://terraform.io/docs/providers/aws/index.html for more information on
        providing credentials for the AWS Provider

Expected Behavior

I expected terraform to respect my AWS_PROFILE=saml environment variable. 1.43.2 works but when I change my provider to 1.44.0 it no longer respects the variable. aws CLI and Packer both work fine so I know my credentials are good.

Actual Behavior

The error above is produced

Steps to Reproduce

terraform apply

References

6320 seems related

makennedy-clgx commented 5 years ago

Reverting to release -1 works as expected.

geekbass commented 5 years ago

Also seeing this issue. Reverting works as expected.

bflad commented 5 years ago

Hi folks 👋 Similar to #6320 this may be related to upstream AWS Go SDK changes as I'm not aware to any changes in the provider authentication. My recommendation is to turn on Terraform debug logging in your environment (e.g. TF_LOG=debug terraform plan) to see if the underlying error(s) cannot be found instead of our less helpful error here.

The only change upstream in this regard I'm aware of is https://github.com/aws/aws-sdk-go/pull/2265

cullenmcdermott commented 5 years ago

Here's a gist with debug error output: https://gist.github.com/cullenmcdermott/9e2e7641fc3cc88117645e4e848901ff

When I run the same plan with 1.43.2 I see this in the debug output:

2018-11-14T14:00:07.554-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] No assume_role block read from configuration
2018-11-14T14:00:07.554-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] Building AWS region structure
2018-11-14T14:00:07.554-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] Building AWS auth structure
2018-11-14T14:00:07.554-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] Setting AWS metadata API timeout to 100ms
2018-11-14T14:00:07.788-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
2018-11-14T14:00:07.788-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] AWS Auth provider used: "SharedCredentialsProvider"
2018-11-14T14:00:07.789-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] Initializing DeviceFarm SDK connection

It looks like for whatever reason 1.44 isn't looking at my shared credentials file?

bflad commented 5 years ago

Interesting, when I run it locally (I personally use AWS_PROFILE environment variable and ~/.aws/credentials shared credentials file), I'm able to see it being used:

2018-11-14T21:08:37.035-0500 [DEBUG] plugin.terraform-provider-aws_v1.45.0_x4: 2018/11/14 21:08:37 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
2018-11-14T21:08:37.041-0500 [DEBUG] plugin.terraform-provider-aws_v1.45.0_x4: 2018/11/14 21:08:37 [INFO] AWS Auth provider used: "SharedCredentialsProvider"
2018-11-14T21:08:37.041-0500 [DEBUG] plugin.terraform-provider-aws_v1.45.0_x4: 2018/11/14 21:08:37 [INFO] Initializing DeviceFarm SDK connection

My shared credentials is nothing special with a few profiles defined like below (actual content omitted of course!)

[profile-1]
aws_access_key_id = AKIA...
aws_secret_access_key = ...
region = us-east-1

[profile-2]
aws_access_key_id = AKIA...
aws_secret_access_key = ...
region = us-east-1
...

Maybe try eliminating parts of your shared credentials file to see if the change in the SDK parsing behavior is maybe incorrectly parsing/invalidating the whole file due to "bad" section(s)?

enekofb commented 5 years ago

Same issue here ...


* provider.aws.us-west-2: error validating provider credentials: error calling sts:GetCallerIdentity: NoCredentialProviders: no valid providers in chain. Deprecated.
    For verbose messaging see aws.Config.CredentialsChainVerboseErrors

when using the latest version

provider "aws" {
  profile = "${var.profile}"
  region  = "us-east-1"
  alias   = "us-east-1"
  skip_metadata_api_check = "true"

}

Version 1.43.2 works fine

provider "aws" {
  version = "1.43.2"
  profile = "${var.profile}"
  region  = "us-east-1"
  alias   = "us-east-1"
  skip_metadata_api_check = "true"

}

geekbass commented 5 years ago

Same issue. Its ignoring the credentials in this release.

2018/11/14 16:16:18 [ERROR] root.dcos: eval: *terraform.EvalConfigProvider, err: No valid credential sources found for AWS Provider.
    Please see https://terraform.io/docs/providers/aws/index.html for more information on
    providing credentials for the AWS Provider
2018/11/14 16:16:18 [ERROR] root.dcos: eval: *terraform.EvalSequence, err: No valid credential sources found for AWS Provider.
    Please see https://terraform.io/docs/providers/aws/index.html for more information on
    providing credentials for the AWS Provider
2018/11/14 16:16:18 [ERROR] root.dcos: eval: *terraform.EvalOpFilter, err: No valid credential sources found for AWS Provider.
    Please see https://terraform.io/docs/providers/aws/index.html for more information on
    providing credentials for the AWS Provider
2018/11/14 16:16:18 [ERROR] root.dcos: eval: *terraform.EvalSequence, err: No valid credential sources found for AWS Provider.
    Please see https://terraform.io/docs/providers/aws/index.html for more information on
    providing credentials for the AWS Provider
2018/11/14 16:16:18 [DEBUG] plugin: waiting for all plugin processes to complete...

Error: Error refreshing state: 1 error(s) occurred:

* module.dcos.provider.aws: No valid credential sources found for AWS Provider.
    Please see https://terraform.io/docs/providers/aws/index.html for more information on
    providing credentials for the AWS Provider

Reverting to previous version is fine.

cullenmcdermott commented 5 years ago

@bflad Not sure if this matters but in your output it looks like you are using v1.45.0

atkinsj commented 5 years ago

I'm experiencing this on * provider.aws: version = "~> 1.45" as well.

bshelton229 commented 5 years ago

In our case we narrowed this down to the fact we were using "pretty" formatting in our ini file. We generate a credentials file using short-lived tokens via tooling. Updating the tooling to not us pretty spacing fixed the issue with the newer aws sdk.

Example ini format that stopped working with the upgrade

[federated]
aws_access_key_id     = 123
aws_secret_access_key = 456
aws_session_token     = 789

[myprofile]
region         = us-east=1
role_arn       = arn:aws:iam::123456789:role/MyRole
source_profile = federated

Having the tooling stop doing pretty alignment allowed the new provider to work

[federated]
aws_access_key_id = 123
aws_secret_access_key = 456
aws_session_token = 789

[myprofile]
region = us-east-1
role_arn = arn:aws:iam::123456789:role/MyRole
source_profile = federated

Our tool was basically putting whitespace around the equals for alignment, which wasn't working with the new SDK.

atkinsj commented 5 years ago

Thanks @bshelton229, confirmed that resolves it for me as well.

livingstaccato commented 5 years ago

My team is using saml2aws and has run into this problem as well with both 1.44.0 and 1.45.0 of the aws provider.

Can confirm that, on MacOS, sed -i '' -E 's/ +/ /g' ~/.aws/credentials fixed the issue.

sstarcher commented 5 years ago

Same as @livingstaccato we use saml2aws and this causes terraform to be non-functional.

pradeepbhadani commented 5 years ago

faced similar issue and @livingstaccato solution fixed issue for me on Mac.

cullenmcdermott commented 5 years ago

Looks like the aws sdk maintainers already PR'd a fix for this(https://github.com/aws/aws-sdk-go/pull/2282) so it should be available soon.

bflad commented 5 years ago

Once the AWS Go SDK is released with the fix (likely later today), we'll pull it in here to cut a release later today or tomorrow.

makennedy-clgx commented 5 years ago

Looks like their release is done. https://github.com/aws/aws-sdk-go/releases/tag/v1.15.79

bflad commented 5 years ago

Submitted the dependency update PR: #6524

bflad commented 5 years ago

The fix for this (AWS Go SDK update) is merged and will release with version 1.46.0 of the AWS provider, in a few minutes. 🚀

bflad commented 5 years ago

This has been released in version 1.46.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashicorp / terraform-provider-aws