Provider assume role block with profile no longer works with 3.26.0

[JoshiiSinfield]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/aws v3.26.0

Affected Resource(s)

• provider "aws" {}

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

provider "aws" {
  region = "eu-west-1"
  profile = "my-auth-account-profile"
  assume_role {
    role_arn     = "arn:aws:iam::123456789012:role/ROLE"
    session_name = "SESSION_NAME"
  }
  
}

Debug Output

Panic Output

Expected Behavior

Terraform should have used the profile to obtain a session and assumed the role specified in the assume_role block

Actual Behavior

Terraform plan and apply both fail with Error: error configuring Terraform AWS Provider: error creating assume role session: SharedConfigErr: only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso

Steps to Reproduce

1. Setup a profile, using API credentials for a user with assume role perms to a cross-account role
2. setup a role to be assumed cross account using the above profile
3. configure provider using the profile, and specify assume_role block as detailed abouve using the role in step 2.
4. terraform init will succeed
5. terraform apply will fail

Important Factoids

This works on Provider version 3.25.0. It's broken in 3.26.0.

References

• Provider block assume_role correctly assumes role for init, but not for plan #17352 Sounds very similar

[ewbankkit]

Related:

• build(deps): bump github.com/aws/aws-sdk-go from 1.36.28 to 1.37.0 #17340

[bflad]

Hi folks 👋

This particular error is from the AWS Go SDK we depend on:

SharedConfigErr: only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso

Which was adjusted to include checking for SSO configuration in an AWS shared configuration profile with the support for SSO cached credentials in version 1.37.0 (released as part of Terraform AWS Provider version 3.26.0). If you have both sso_* and source_profile configuration within the same profile, removing one or the other will likely fix the issue.

This particular validation is being controlled by the AWS Go SDK, so it may be best to track or contribute to these conversations upstream for updates on whether this particular validation might be relaxed:

• https://github.com/aws/aws-sdk-go/pull/3755/files#r566539101
• The behavior of validateCredentialType is too strict and doesn't align with the AWS CLI or other SDKs aws/aws-sdk-go#3763

[JoshiiSinfield]

Hi @bflad ,

Thanks for the update, however that's not the case for me.

My profile contains only the secret key and key id, no sso. I do have other profiles in the same file that are sso, but not this one.

Please see below ...
credentials file contains:

[my-auth-account-profile]
aws_access_key_id = AKIAVXXXXXXXXXXXXX
aws_secret_access_key = eCXXXXXXXXXXXXXXXXXXXXXX
region = eu-west-1

terraform config:

provider "aws" {
  region = "eu-west-1"
  profile = "my-auth-account-profile"
  assume_role {
    role_arn     = "arn:aws:iam::123456789012:role/ROLE"
    session_name = "SESSION_NAME"
  }
 
}

[JoshiiSinfield]

Here is a complete set of configs I have used to replicate the issue:
main.tf:

provider "aws" {
  region = "eu-west-1"

  assume_role {
    role_arn = "arn:aws:iam::XXXXX:role/XXXXXX"
  }
}

data "aws_caller_identity" "current" {}

output "acc_id" {
  value = data.aws_caller_identity.current.account_id
}

~/.aws/config

[default]
sso_start_url = https://XXXXX.awsapps.com/start
sso_region = eu-west-1
sso_account_id = XXXXX
sso_role_name = AdministratorAccess
region = eu-west-1
output = json
credential_process = aws-sso-credential-process --profile default
[profile joshs-test]
region = eu-west-1
output = json
[profile profile2]
sso_start_url = https://XXXXXX.awsapps.com/start
sso_region = eu-west-1
sso_account_id = XXXXXX
sso_role_name = AdministratorAccess
region = eu-west-1
output = json
credential_process = aws-sso-credential-process --profile profile2

~/.aws/credentials

[joshs-test]
aws_access_key_id = 12345
aws_secret_access_key = aabbcc

software versions:

terraform -v  
Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/aws v3.26.0

Cheers,
Josh

[autorTepatiki]

I could finally resolved this, updating to the latest GO version: https://golang.org/doc/install , "go version go1.15.7 linux/amd64"

And everything is fine! No longer "Error: error configuring Terraform AWS Provider: error creating assume role session: SharedConfigErr: only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso"

[abeluck]

@martindcernadas You mean you updated go and built the aws provider plugin from source?

[JoshiiSinfield]

sorry @martindcernadas please can you elaborate?

I've just upgraded from 1.15.2 to 1.15.7_1 and it made no difference. I still receive the error.

Cheers,
Josh

[JoshiiSinfield]

Just to confirm - I can get this working by removing all "credential_process" lines from my profiles.

However, I had an older version of awscli (v2.0.55). This was generating credentials with an invalid timestamp. (see here )

I upgraded to 2.1.24, re logged in and the timestamp issue disappeared.

Therefore I guess this technically isn't an issue any more. HOWEVER, it should have come with a large warning that it needs the latest AWS CLI version to generate credentials with valid timestamps.

[lorengordon]

This just bit me also. It definitely does not work to use a profile in the provider config that is based on credential_process, and also use the provider assume_role feature. Very frustrating.

Edit to add: This is still an issue in v3.68.0

Edit Edit: Haha, nevermind, something changed, but it was an interaction between a new aws provider version and an old module version. I updated the aws provider, and it stopped working with the old module version. Updated the module version, and now it works again. Good times!

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.