terraform issue when dealing with cross account access

[rico-spaceship]

Hi there,

We are having issues with spinning up ec2 instance in a cross account setup.

Terraform Version

0.9.11

Affected Resource(s)

EC2 instances

Terraform Configuration Files

We created a role from our Dev account, and allow our corp account to assume this role
see this gist : https://gist.github.com/rico-spaceship/d0f1ac24381ae7bbbc5c9591a919ade6
From our corp account, we attach a policy to assume the role:
https://gist.github.com/rico-spaceship/68b9855a5e9506f681f9627d5f7b71be

Then when we try to launch our ec2 instance, we wrap it up in a shell script:
https://gist.github.com/rico-spaceship/68101bffe7baef56eb2193384fb31a0d

Debug Output

It seems that we can do the terraform -init with the backend s3 bucket, but it throws some error when we try to run the script.

[05:14:10]	[Step 1/1] 2017/07/20 05:14:10 [ERROR] root: eval: *terraform.EvalConfigProvider, err: InvalidClientTokenId: The security token included in the request is invalid.
[05:14:10]	[Step 1/1] status code: 403, request id: xxxxxxxxxxxxxxxxxxxxxxx
[05:14:10]	[Step 1/1] 2017/07/20 05:14:10 [ERROR] root: eval: *terraform.EvalSequence, err: InvalidClientTokenId: The security token included in the request is invalid.
[05:14:10]	[Step 1/1] status code: 403, request id: xxxxxxxxxxxxxxxxxxxxxxx
[05:14:10]	[Step 1/1] 2017/07/20 05:14:10 [ERROR] root: eval: *terraform.EvalOpFilter, err: InvalidClientTokenId: The security token included in the request is invalid.
[05:14:10]	[Step 1/1] status code: 403, request id: xxxxxxxxxxxxxxxx
[05:14:10]	[Step 1/1] 2017/07/20 05:14:10 [ERROR] root: eval: *terraform.EvalSequence, err: InvalidClientTokenId: The security token included in the request is invalid.
[05:14:10]	[Step 1/1] status code: 403, request id: xxxxxxxxxxxxxxxx
[05:14:10]	[Step 1/1] 2017/07/20 05:14:10 [TRACE] [walkRefresh] Exiting eval tree: provider.aws
[05:14:12]	[Step 1/1] Error refreshing state: 1 error(s) occurred:
[05:14:12]	[Step 1/1]
[05:14:12]	[Step 1/1] * provider.aws: InvalidClientTokenId: The security token included in the request is invalid.
[05:14:12]	[Step 1/1] status code: 403, request id: xxxxxxxxxxxxxxxx

Expected Behavior

"terraform apply" can spin up the issue without throwing issues

Actual Behavior

"terraform apply" failed

[agarstang]

Mentioned in #2693 on the Terraform repo that the role_arn parameter on the AWS provider probably fits this use case (therefore no need for wrapper shell script).

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!