AWS secrets taking precedence over provider configuration

[Lincon-Freitas]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform 1.1.9
AWS Provider ~> 4.12.0

Affected Resource(s)

• provider "aws" {}

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

providers.tf

terraform {
  backend "s3" {}
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.12.0"
    }
  }
}

provider "aws" {}

provider "aws" {
  alias = "test"
  assume_role_with_web_identity {
    role_arn           = "arn:aws:iam::xxx:role/role-b"
    duration           = "15m"
    session_name       = "github-runner-session-by-terraform"
    web_identity_token = "xxx"
  }
}

main.tf

resource "aws_s3_bucket" "a" {
  bucket = "my-bucket-a"
}

resource "aws_s3_bucket" "b" {
  provider = aws.test

  bucket = "my-bucket-b"
}

Expected Behavior

Terraform should use the default provider when creating the resouce "my-bucket-a" as there is no alias specified in the block. As the resource "my-bucket-b" specifies an alias for the provider with the assume_role_with_web_identity option, it should try to use that provider.

Actual Behavior

Every resource is being created with the credentials of the default provider with no credentials specified.

Steps to Reproduce

1. terraform init
2. terraform plan
3. terraform apply

Important Factoids

I am using github actions to deploy this code hence, it seems reasonable to use GitHub OIDC to autheticate to AWS. For the default provider, the authentication is made by using the following action:

aws-actions/configure-aws-credentials@v1

    # Configure AWS credentials.
    - name: AWS Credentials
      id: aws-credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: arn:aws:iam::xxx:role/role-a # Note that this is note the same role used in the provider config
        role-session-name: github-runner-session
        aws-region: region

The above action, authenticate successfully to AWS and exports the short-lived token as environment variables for the runner and then the default provider use it to run.

The thing is that the second provider is also using the above credentials which in my understanding is wrong because it does not respect the order stated in the terraform docs.

I can be missing something here as well! I am adding the references I guess are related/going to help in this investigation.

Thanks in advance and please tell me if you need any further information.

References

• Allow AssumeRole with WebIdentity in provider's configuration #22907
• https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

[glenthomas]

I have the same issue. I only need to use the aws-actions/configure-aws-credentials@v1 action to assume a role for the S3 backend because it does not have support for using web identity tokens. All of my AWS providers use the assume_role_with_web_identity block and all are picking up the environment variables instead of the token being input to the provider.

[macmiranda]

All of my AWS providers use the assume_role_with_web_identity block and all are picking up the environment variables instead of the token being input to the provider.

😱

We're declaring different providers using local profiles but they are ignored when environment variables are set.
I believe it should follow the same precedence behavior as the AWS SDK and tools when passed as a parameter:

• If you specify a setting by using its environment variable, it overrides any value loaded from a profile in the shared AWS config and credentials files.
• If you specify a setting by using a parameter on the AWS CLI command line, it overrides any value from either the corresponding environment variable or a profile in the configuration file.
  ref.: https://docs.aws.amazon.com/sdkref/latest/guide/environment-variables.html

@gdavison any idea what's the effort to fix this?

[gdavison]

Are you still seeing this with the latest version of the provider? If so, can you try running this with the environment variable TF_LOG_PROVIDER=DEBUG, please?

We're looking for lines containingRetrieved credentials from and any other surrounding lines that may relate.

[macmiranda]

@gdavison, you're right. It works with the latest version of the provider.

provider.terraform-provider-aws_v4.21.0_x5: A Profile was specified along with the environment variables "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY". The Profile is now used instead of the environment variable credentials. This may lead to unexpected behavior.

I just need to update all my modules and then change the provider version.

Thanks.

I guess the issue with assume_role_with_web_identity is still unresolved though.

[gdavison]

@macmiranda, the assume_role_with_web_identity problem should be resolved by #25681.

Since this is resolved in the latest provider, I'm going to close the issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.