AWS provider ignores skip_credentials_validation in latest release

[nterry]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.11.7
1.31.0

Affected Resource(s)

• aws_sts

Terraform Configuration Files

provider "aws" {
  access_key = "1234"
  secret_key = "abcd"
  region = "us-west-2"
  skip_credentials_validation = true

  endpoints {
    dynamodb = "https://localhost:4569"
    kinesis = "https://localhost:4568"
    sqs = "https://localhost:4576"
  }
  ->
  insecure = true
}

Debug Output

https://gist.github.com/nterry/d7c64ceac29498de643e39d860fedca2

Expected Behavior

Successful apply, ignoring STS auth

Actual Behavior

Tries to authenticate with STS

Steps to Reproduce

1. Start up localstack (an impl that doesnt support sts) (instructions https://github.com/localstack/localstack/blob/master/README.md)
2. Use any resources you like with the skip_credentials_validation set to true
3. run terraform apply
4. Error is apparent

Important Factoids

Pinning to 1.30.0 resolves the issue

• #0000

[bflad]

If the provider is unable to determine the AWS account ID from a provider assume role configuration or the STS GetCallerIdentity call used to verify the credentials (if skip_credentials_validation = false), it will attempt to lookup the AWS account ID via EC2 metadata, IAM GetUser, IAM ListRoles, and STS GetCallerIdentity. Previous to version 1.31.0 of the provider, it would silently allow the failure of all the above methods. We inadvertently changed this behavior to return an error since seemed more correct in the context of the other changes occurring at the time.

There are implications of the provider not having its AWS account ID properly initialized, which are noted at: https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id

Since the provider behavior change was breaking, I have submitted a pull request to temporarily reinstate the old behavior and note the upcoming error change in the next major version of the provider: #5794

I would recommend adding the following to your provider configurations, which should work with the latest 1.X versions (even before the above pull request is released) as well as 2.X:

 provider "aws" {
   # ... other configuration ...

   skip_requesting_account_id = true
 }

[nterry]

@bflad Thanks for the info! I will definitely include that moving forward.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!