EC2 IMDS role is being used despite setting a non-existence profile

[mforutan]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.1.0

Affected Resource(s)

• Authentication

Terraform Configuration Files

Despite what is mentioned for the new authentication changes in version 4.0.0 and above, still we can explicitly set the profile to an invalid name and get the terraform provider to fall back to EC2 IMDS role on EC2 instances.

provider "aws" {
  region  = "us-east-1"
  profile = "profile-with-no-valid-creds"
}

This is a bug based on the documentation and it doesn't match the AWS CLI behaviour which doesn't work if AWS_PROFILE is set to something invalid.

Expected Behavior

An explicitly set profile that does not have valid credentials will cause an authentication error.

Actual Behavior

Terraform successfully authenticates using EC2 IMDS role.

Steps to Reproduce

1. Run terraform plan with this configuration on an EC2 instance with EC2 IMDS role available:

provider "aws" {
  region  = "us-east-1"
  profile = "profile-with-no-valid-creds"
}

data "aws_caller_identity" "current" {}

output "account_id" {
  value = data.aws_caller_identity.current.account_id
}

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade#changes-to-authentication

[gdavison]

I've created hashicorp/aws-sdk-go-base#127 for this issue.

Reference aws/aws-sdk-go-v2#1591

[antonioned]

hey team, I know that this is maybe not directly connected to this issue but since the other one is closed, would like to ask for an advise on it here as well.

I left a comment on the original issue regarding the 4.x upgrade of the provider - #23209 (comment)

Maybe someone can help with this or we can expect a fix soon?

[github-actions]

This functionality has been released in v4.3.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.