Version 1.6.3 not working with local s3 backend

[vdesoutter]

Terraform Version

Terraform v1.6.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/vault v3.5.0
+ provider registry.terraform.io/okta/okta v4.3.0

Terraform Configuration Files

  backend "s3" {
    bucket   = "dev"
    key      = "terraform.tfstate"
    region   = "ap-northeast-1" # useless but Terraform won't work without this and `skip_region_validation` don't work
    # Else Terraform would connect to sts.amazonaws.com to validate the credentials even though we're not using AWS
    skip_credentials_validation = true
    use_path_style = true
    endpoints {
      s3 = ["<local s3 instance>"]
    }
  }

Debug Output

2023-11-02T13:31:13.912+0100 [TRACE] Meta.Backend: merging -backend-config=... CLI overrides into backend configuration 2023-11-02T13:31:13.912+0100 [TRACE] Meta.Backend: built configuration for "s3" backend with hash value 572390459 2023-11-02T13:31:13.912+0100 [TRACE] Meta.Backend: backend has not previously been initialized in this working directory 2023-11-02T13:31:13.912+0100 [DEBUG] New state was assigned lineage "XXXX" 2023-11-02T13:31:13.912+0100 [TRACE] Meta.Backend: moving from default local state only to "s3" backend 2023-11-02T13:31:13.912+0100 [TRACE] providercache.fillMetaCache: scanning directory .terraform/providers 2023-11-02T13:31:13.912+0100 [TRACE] getproviders.SearchLocalDirectory: failed to resolve symlinks for .terraform/providers: lstat .terraform/providers: no such file or directory 2023-11-02T13:31:13.912+0100 [TRACE] providercache.fillMetaCache: error while scanning directory .terraform/providers: cannot search .terraform/providers: lstat .terraform/providers: no such file or directory 2023-11-02T13:31:13.912+0100 [TRACE] providercache.fillMetaCache: scanning directory .terraform/providers 2023-11-02T13:31:13.912+0100 [TRACE] getproviders.SearchLocalDirectory: failed to resolve symlinks for .terraform/providers: lstat .terraform/providers: no such file or directory 2023-11-02T13:31:13.912+0100 [TRACE] providercache.fillMetaCache: error while scanning directory .terraform/providers: cannot search .terraform/providers: lstat .terraform/providers: no such file or directory 2023-11-02T13:31:13.912+0100 [TRACE] providercache.fillMetaCache: scanning directory .terraform/providers 2023-11-02T13:31:13.912+0100 [TRACE] getproviders.SearchLocalDirectory: failed to resolve symlinks for .terraform/providers: lstat .terraform/providers: no such file or directory 2023-11-02T13:31:13.912+0100 [TRACE] providercache.fillMetaCache: error while scanning directory .terraform/providers: cannot search .terraform/providers: lstat .terraform/providers: no such file or directory 2023-11-02T13:31:13.912+0100 [DEBUG] checking for provisioner in "." 2023-11-02T13:31:13.917+0100 [DEBUG] checking for provisioner in "/usr/bin" 2023-11-02T13:31:13.917+0100 [TRACE] backend/local: state manager for workspace "default" will:

• read initial snapshot from terraform.tfstate
• write new snapshots to terraform.tfstate
• create any backup at terraform.tfstate.backup 2023-11-02T13:31:13.917+0100 [TRACE] statemgr.Filesystem: reading initial snapshot from terraform.tfstate 2023-11-02T13:31:13.917+0100 [TRACE] statemgr.Filesystem: snapshot file has nil snapshot, but that's okay 2023-11-02T13:31:13.917+0100 [TRACE] statemgr.Filesystem: read nil snapshot 2023-11-02T13:31:13.917+0100 [TRACE] Meta.Backend: ignoring local "default" workspace because its state is empty 2023-11-02T13:31:13.918+0100 [TRACE] backend-s3.aws-base: Resolving AWS configuration: tf_backend.operation=Configure tf_backend.req_id=XXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:13.918+0100 [DEBUG] backend-s3.aws-base: Resolving credentials provider: tf_backend.operation=Configure tf_backend.req_id=XXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:13.918+0100 [TRACE] backend-s3.aws-base: Building default HTTP client: tf_backend.operation=Configure tf_backend.req_id=XXXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:13.918+0100 [DEBUG] backend-s3.aws-base: Using authentication parameters: tf_backend.operation=Configure tf_backend.req_id=XXXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate tf_aws.auth_fields.source=provider tf_aws.auth_fields=["access key", "secret key"] 2023-11-02T13:31:13.918+0100 [DEBUG] backend-s3.aws-base: Loading configuration: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:13.918+0100 [DEBUG] backend-s3.aws-base: Retrieving credentials: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:13.918+0100 [INFO] backend-s3.aws-base: Retrieved credentials: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate tf_aws.credentials_source=StaticCredentials 2023-11-02T13:31:13.918+0100 [TRACE] backend-s3.aws-base: Building default HTTP client: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:13.918+0100 [DEBUG] backend-s3.aws-base: Loading configuration: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:13.918+0100 [DEBUG] backend-s3.aws-base: Retrieving account information via iam:GetUser: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:13.918+0100 [DEBUG] backend-s3.aws-base: HTTP Request Sent: aws.operation=GetUser aws.region=eu-west-1 aws.sdk=aws-sdk-go-v2 aws.service=IAM aws.signing_region=us-east-1 tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate http.request.header.authorization="AWS4-HMAC-SHA256 Credential=XXXXX/us-east-1/iam/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=" http.request.header.amz_sdk_invocation_id=XXXX http.url=https://iam.amazonaws.com/ http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.6.3 (+https://www.terraform.io) aws-sdk-go-v2/1.21.0 os/linux lang/go#1.21.3 md/GOOS#linux md/GOARCH#amd64 api/iam#1.22.5" http.request_content_length=33 http.request.header.amz_sdk_request="attempt=1; max=5" http.request.header.x_amz_date=20231102T123113Z http.request.header.content_type=application/x-www-form-urlencoded http.request.body= | Action=GetUser&Version=2010-05-08 http.method=POST net.peer.name=iam.amazonaws.com 2023-11-02T13:31:14.424+0100 [DEBUG] backend-s3.aws-base: HTTP Response Received: aws.operation=GetUser aws.region=eu-west-1 aws.sdk=aws-sdk-go-v2 aws.service=IAM aws.signing_region=us-east-1 tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate http.response.body= | | | Sender | InvalidClientTokenId | The security token included in the request is invalid. | | XXXX | http.duration=504 http.status_code=403 http.response_content_length=306 http.response.header.x_amzn_requestid=6f920794-6ca6-4767-95bf-faa1fae6d8f0 http.response.header.content_type=text/xml http.response.header.date="Thu, 02 Nov 2023 12:31:13 GMT" 2023-11-02T13:31:14.424+0100 [DEBUG] backend-s3.aws-base: request failed with unretryable error https response error StatusCode: 403, RequestID: 6f920794-6ca6-4767-95bf-faa1fae6d8f0, api error InvalidClientTokenId: The security token included in the request is invalid.: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:14.424+0100 [DEBUG] backend-s3.aws-base: Retrieving account information via iam:GetUser: ignoring error: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate error="operation error IAM: GetUser, https response error StatusCode: 403, RequestID: 6f920794-6ca6-4767-95bf-faa1fae6d8f0, api error InvalidClientTokenId: The security token included in the request is invalid." 2023-11-02T13:31:14.424+0100 [DEBUG] backend-s3.aws-base: Retrieving caller identity from STS: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:14.425+0100 [DEBUG] backend-s3.aws-base: HTTP Request Sent: aws.operation=GetCallerIdentity aws.region=eu-west-1 aws.sdk=aws-sdk-go-v2 aws.service=STS tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate http.method=POST http.url=https://sts.eu-west-1.amazonaws.com/ net.peer.name=sts.eu-west-1.amazonaws.com http.request_content_length=43 http.request.header.amz_sdk_request="attempt=1; max=5" http.request.header.x_amz_date=20231102T123114Z http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.6.3 (+https://www.terraform.io) aws-sdk-go-v2/1.21.0 os/linux lang/go#1.21.3 md/GOOS#linux md/GOARCH#amd64 api/sts#1.21.5" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=XXXXX/eu-west-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=" http.request.header.amz_sdk_invocation_id=XXXX http.request.header.content_type=application/x-www-form-urlencoded http.request.body= | Action=GetCallerIdentity&Version=2011-06-15

2023-11-02T13:31:14.652+0100 [DEBUG] backend-s3.aws-base: HTTP Response Received: aws.operation=GetCallerIdentity aws.region=eu-west-1 aws.sdk=aws-sdk-go-v2 aws.service=STS tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate http.response.header.date="Thu, 02 Nov 2023 12:31:14 GMT" http.response.header.x_amzn_requestid=XXXX http.response.header.content_type=text/xml http.response.body= | | | Sender | InvalidClientTokenId | The security token included in the request is invalid. | | b1988ee3-16f9-4338-bd2c-63ea7b2f20ba | http.duration=226 http.status_code=403 http.response_content_length=306 2023-11-02T13:31:14.652+0100 [DEBUG] backend-s3.aws-base: request failed with unretryable error https response error StatusCode: 403, RequestID: b1988ee3-16f9-4338-bd2c-63ea7b2f20ba, api error InvalidClientTokenId: The security token included in the request is invalid.: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:14.653+0100 [DEBUG] backend-s3.aws-base: Unable to retrieve caller identity from STS: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate error="operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: b1988ee3-16f9-4338-bd2c-63ea7b2f20ba, api error InvalidClientTokenId: The security token included in the request is invalid." 2023-11-02T13:31:14.653+0100 [DEBUG] backend-s3.aws-base: Retrieving account information via iam:ListRoles: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:14.653+0100 [DEBUG] backend-s3.aws-base: HTTP Request Sent: aws.operation=ListRoles aws.region=eu-west-1 aws.sdk=aws-sdk-go-v2 aws.service=IAM aws.signing_region=us-east-1 tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate http.request_content_length=46 http.request.header.x_amz_date=20231102T123114Z http.request.header.content_type=application/x-www-form-urlencoded http.request.header.amz_sdk_request="attempt=1; max=5" http.method=POST http.url=https://iam.amazonaws.com/ net.peer.name=iam.amazonaws.com http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.6.3 (+https://www.terraform.io) aws-sdk-go-v2/1.21.0 os/linux lang/go#1.21.3 md/GOOS#linux md/GOARCH#amd64 api/iam#1.22.5" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=XXXX/us-east-1/iam/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=*****" http.request.header.amz_sdk_invocation_id=XXXX http.request.body= | Action=ListRoles&MaxItems=1&Version=2010-05-08

2023-11-02T13:31:14.776+0100 [DEBUG] backend-s3.aws-base: HTTP Response Received: aws.operation=ListRoles aws.region=eu-west-1 aws.sdk=aws-sdk-go-v2 aws.service=IAM aws.signing_region=us-east-1 tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate http.response.header.content_type=text/xml http.response.header.date="Thu, 02 Nov 2023 12:31:14 GMT" http.response.body= | | | Sender | InvalidClientTokenId | The security token included in the request is invalid. | | e97fb72a-fc7f-4a2b-a74e-8ab4895039b1 | http.duration=122 http.status_code=403 http.response_content_length=306 http.response.header.x_amzn_requestid=e97fb72a-fc7f-4a2b-a74e-8ab4895039b1 2023-11-02T13:31:14.777+0100 [DEBUG] backend-s3.aws-base: request failed with unretryable error https response error StatusCode: 403, RequestID: XXXX, api error InvalidClientTokenId: The security token included in the request is invalid.: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate 2023-11-02T13:31:14.777+0100 [DEBUG] backend-s3.aws-base: Unable to retrieve account information via iam:ListRoles: tf_backend.operation=Configure tf_backend.req_id=XXXX tf_backend.s3.bucket=dev tf_backend.s3.path=terraform.tfstate error="operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: XXXX, api error InvalidClientTokenId: The security token included in the request is invalid." Initializing modules... 2023-11-02T13:31:14.777+0100 [TRACE] ModuleInstaller: installing child modules for . into .terraform/modules 2023-11-02T13:31:14.779+0100 [DEBUG] Module installer: begin bootstrap 2023-11-02T13:31:14.782+0100 [TRACE] ModuleInstaller: Module installer: bootstrap already installed in ../bootstrap 2023-11-02T13:31:14.782+0100 [TRACE] modsdir: writing modules manifest to .terraform/modules/modules.json

Error: Retrieving AWS account details: AWS account ID not previously found and failed retrieving via all available methods. See https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id for workaround and implications. Errors: 2 errors occurred:

• retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: XXXX, api error InvalidClientTokenId: The security token included in the request is invalid.
• retrieving account information via iam:ListRoles: operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: XXXX, api error InvalidClientTokenId: The security token included in the request is invalid.

Expected Behavior

The s3 config should be taken into account as it is done for version 1.5.7 With version 1.5.7, the config s3 works fine with local s3 storage.

Actual Behavior

Error: Retrieving AWS account details: AWS account ID not previously found and failed retrieving via all available methods. See https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id for workaround and implications. Errors: 2 errors occurred:

• retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: XXXX, api error InvalidClientTokenId: The security token included in the request is invalid.
• retrieving account information via iam:ListRoles: operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: XXXX, api error InvalidClientTokenId: The security token included in the request is invalid.

Steps to Reproduce

terraform init

Additional Context

We are trying to migrate from 1.5.7 to 1.6.X the terraform version but fails to that error.

References

No response

[jbardin]

Duplicate of #34053

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.