[Bug]: Unable to assume_role_with_web_identity for s3 backend

[b4ird]

Terraform Version

1.7.5

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.75.1"
    }
  }
  backend "s3" {
    assume_role_with_web_identity {
      role_arn                = "arn:aws:iam::12345:role/my-role"
      web_identity_token_file = ".web-identity-token"
    }
  }
}

provider "aws" {
  region = var.aws_region

  assume_role_with_web_identity {
    role_arn                = "arn:aws:iam::54321:role/my-role"
    web_identity_token_file = ".web-identity-token"
  }
}

provider "aws" {
  alias  = "legacy"
  region = var.aws_region

  assume_role_with_web_identity {
    role_arn                = "arn:aws:iam::12345:role/my-role"
    web_identity_token_file = ".web-identity-token"
  }
}

Debug Output

https://gist.github.com/b4ird/4ca84515d3a501af8ddacd6397bd5621#file-gistfile1-txt

Expected Behavior

S3 backend should be inited successfully via OIDC role assumption

Actual Behavior

Fails to find credentials:

Error: failed to refresh cached credentials, no EC2 IMDS role found,
│ operation error ec2imds: GetMetadata, failed to get API token, operation
│ error ec2imds: getToken, http response error StatusCode: 400, request to
│ EC2 IMDS failed

Steps to Reproduce

Running terraform init with a similar setup

Additional Context

When switching the backend to local whilst keeping the existing provider config, the role assumption works. Given I'm able to assume the same account/role combination via the aws provider this rules out any OIDC trust relationship issues.

References

No response

[crw]

Thanks for this report! The S3 backend is managed by the AWS Provider team at HashiCorp, this issue has been put into their triage queue. Thanks again!