terraform-aws-provider v3.26.0+: aws-go-sdk v1.37.0+ causes Terraform to fail reading credentials from environment if SSO configuration in ~/.aws/config is incomplete

[christophetd]

See also: aws/aws-sdk-go#3768

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

• Terraform v0.14.5
• Terraform AWS provider v3.26.0. Confirmed this bug does not occur on v3.25.0

Configuration Files

Terraform configuration file:

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "3.26.0"
    }
  }
}

provider "aws" {
  region = "eu-west-1"
}

resource "aws_iam_user" "test" {
	name = "test"
}

~/.aws/config:

[default]
sso_start_url=https://org.awsapps.com/start
sso_region=eu-central-1
cli_pager=
region=eu-west-1

[okta]
aws_saml_url=home/amazon_aws/xxx

Description

Authentication. With the configuration described above, using aws-vault / the AWS CLI, I'm authenticating using AWS SSO:

$ aws-vault exec dev # Or using the AWS CLI
$ aws sts get-caller-identity
{
    "UserId": "AROXXXXXXXx:christophe@domain.tld",
    "Account": "123456789123",
    "Arn": "arn:aws:sts::123456789123:assumed-role/AWSReservedSSO_MyRole_xxx/christophe@domain.tld"
}

Expected behavior: When running terraform apply, the credentials from my environment are used to authenticate against AWS

Actual behavior:

$ terraform apply
Error: error configuring Terraform AWS Provider: Error creating AWS session: profile "default" is configured to use SSO but is missing required configuration: sso_account_id, sso_role_name

Note that adding random sso_account_id and sso_role_name to ~/.aws/config does allow to work through this bug, e.g.

[default]
...
sso_account_id=123
sso_role_name=foo

References

aws/aws-sdk-go#3768

[ewbankkit]

Related:

• Provider assume role block with profile no longer works with 3.26.0 #17353
• aws sso credentials profile not working Cannot parse expiration timestamp #17372

[christophetd]

This was confirmed in aws/aws-sdk-go#3768 to be an aws-go-sdk issue which will be fixed in their next release. I suggest we wait until the fix is released on their side, then I guess the next release of terraform-provider-aws will solve the issue?

[ewbankkit]

Now available via AWS SDK v1.37.2 which will appear as a PR in this repo shortly.

[ghost]

This has been released in version 3.27.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!