Terraform Version
Terraform v1.15.1
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v6.43.0
Terraform Configuration Files
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 6"
}
}
backend "s3" {
bucket = "test-bucket"
key = "test/key"
region = "us-east-2"
profile = "test"
}
}
provider "aws" {
region = "us-east-2"
profile = "test"
}
data "aws_caller_identity" "ci" {}
output "caller_identity" {
value = data.aws_caller_identity.ci
}Debug Output
https://gist.github.com/ssilvidi/ba80eb684f9a584bc0e65c58075ef109
Expected Behavior
The AWS CLI supports using source_profile to assume that profile's role from another profile. (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-settings)
You can use aws login for your default profile, then rely on source_profile for your other profiles. This works fine for AWS CLI commands.
This source_profile method has traditionally worked as expected with terraform, except when using the new aws login command.
Example ~/.aws/config:
[default]
region = us-east-2
[profile test]
source_profile = default
role_arn = arn:aws:iam::123456789000:role/terraform-deployment-role
region = us-east-2
Actual Behavior
Terraform fails to initialize the backend (or plan, etc.) if the profile uses source_profile to the default AWS profile.
Initializing provider plugins found in the configuration...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Using previously-installed hashicorp/aws v6.43.0
Initializing the backend...
╷
│ Error: failed to load assume role arn:aws:iam::123456789000:role/terraform-deployment-role, of profile default, <nil>
│
│
╵
I notice that the error message says it failed to load the assume role "of profile default" even though it's the test profile's role ARN, but maybe that's just wording.
Steps to Reproduce
- With no AWS_PROFILE set (for default), run
aws login
- Choose the correct AWS session in the browser popup
terraform init
Additional Context
This problem also applies to the AWS provider in general, but there's already an open issue for that in the provider repo. (hashicorp/terraform-provider-aws#45817)
References
Generative AI / LLM assisted development?
No response
Terraform Version
Terraform Configuration Files
Debug Output
https://gist.github.com/ssilvidi/ba80eb684f9a584bc0e65c58075ef109
Expected Behavior
The AWS CLI supports using
source_profileto assume that profile's role from another profile. (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-settings)You can use
aws loginfor your default profile, then rely onsource_profilefor your other profiles. This works fine for AWS CLI commands.This
source_profilemethod has traditionally worked as expected with terraform, except when using the newaws logincommand.Example
~/.aws/config:Actual Behavior
Terraform fails to initialize the backend (or plan, etc.) if the profile uses
source_profileto the default AWS profile.I notice that the error message says it failed to load the assume role "of profile default" even though it's the
testprofile's role ARN, but maybe that's just wording.Steps to Reproduce
aws loginterraform initAdditional Context
This problem also applies to the AWS provider in general, but there's already an open issue for that in the provider repo. (hashicorp/terraform-provider-aws#45817)
References
aws login#37976aws logincredentials between Terraform and AWS CLI terraform-provider-aws#45817Generative AI / LLM assisted development?
No response