[BUG]

[obouchta]

What is the bug?

Assuming role work only with aws_profile variable. When passing aws_access_key and aws_secret_key, the role is not assumed. Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.

How can one reproduce the bug?

Working case :

provider "opensearch" {
  url                         = "https://${aws_opensearch_domain.this.endpoint}"
  aws_region                  = var.region
  aws_assume_role_arn         = local.role_arn
  aws_assume_role_external_id = "terraform"
  sign_aws_requests           = true
  healthcheck                 = false
  aws_profile                 = var.aws_profile
}

Not working case:

provider "opensearch" {
  url                         = "https://${aws_opensearch_domain.this.endpoint}"
  aws_region                  = var.region
  aws_assume_role_arn         = local.role_arn
  aws_assume_role_external_id = "terraform"
  sign_aws_requests           = true
  healthcheck                 = false
  aws_access_key = var.aws_access_key
  aws_secret_key = var.aws_secret_key
}

What is the expected behavior?

The role should be assumed when passing aws_access_key and aws_secret_key or when passing environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

What is your host/environment?

Amazon Linux AMI 2018.03 Terraform v1.3.9 Provider 2.0.0

Do you have any screenshots?

[peterzhuamazon]

Simliar to

• https://github.com/opensearch-project/terraform-provider-opensearch/issues/99