AWS provider should use default region set in ~/.aws/config/

[hashibot]

This issue was originally opened by @BGnoinski as hashicorp/terraform#13579. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform Version

terraform -v
Terraform v0.9.2

Affected Resource(s)

Please list the resources as a list, for example:

• provider "aws"

Terraform Configuration Files

provider "aws" {}

resource "aws_vpc" "vpc" {
  cidr_block = "10.20.0.0/16"
}

Expected Behavior

If you have
[default]
region=ca-central-1
set in ~/.aws/config the provider "aws" should use it if none set in the terraform config.

Actual Behavior

provider "aws" uses aws_access_key_id= and aws_secret_access_key= from ~/.aws/credentials but ignores ~/.aws/config .

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan

terraform plan
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: 

Important Factoids

provider "aws" will respect environment variable AWS_DEFAULT_REGION= if set

AWS_DEFAULT_REGION=ca-central-1 terraform plan

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

+ aws_vpc.vpc
    assign_generated_ipv6_cidr_block: "false"
    cidr_block:                       "10.20.0.0/16"
    default_network_acl_id:           "<computed>"
    default_route_table_id:           "<computed>"
    default_security_group_id:        "<computed>"
    dhcp_options_id:                  "<computed>"
    enable_classiclink:               "<computed>"
    enable_dns_hostnames:             "<computed>"
    enable_dns_support:               "true"
    instance_tenancy:                 "<computed>"
    ipv6_association_id:              "<computed>"
    ipv6_cidr_block:                  "<computed>"
    main_route_table_id:              "<computed>"


Plan: 1 to add, 0 to change, 0 to destroy.

[TechnicalMercenary]

I'm wondering why this is marked as an enhancement ? Perhaps this isn't the exact issue that I'm looking for a solution.

https://www.terraform.io/docs/providers/aws/index.html#region

I'm looking for a solution where the region is set when the region is defined in the shared credentials file under the defined profile

[jtaylormayfield]

Either this should be relabeled as a bug, or the documentation needs to be updated to indicate the implemented functionality. Documentation states shared credentials can be used to determine the default region:

region - (Required) This is the AWS region. It must be provided, but it can also be sourced from the AWS_DEFAULT_REGION environment variables, or via a shared credentials file if profile is specified.

Unfortunately, the region config is actually ignored.

[bflad]

The documentation here probably could use some revamping to very clearly define the various pieces and ordering that go into authentication and region selection since both are pretty complex topics.

I believe there is a distinction between what AWS refers to as "shared credentials" (~/.aws/credentials) and "configuration" (~/.aws/config). Configuring the AWS SDK for Go documentation does specifically state this under "Specifying the AWS Region":

• Set the AWS_SDK_LOAD_CONFIG environment variable to true to get the region value from the config file in the .aws/ folder in your home directory

Does setting the AWS_SDK_LOAD_CONFIG=true environment variable work in your scenario? It seems like we should explicitly call this out in our documentation or potentially automatically turn it on.

[jtaylormayfield]

@bflad , here's a recent test from cmd:

C:\Some\folder>echo %AWS_SDK_LOAD_CONFIG%
true

C:\Some\folder>terraform plan
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value:

It appears as though the environment variable is ignored by the provider.

[jtaylormayfield]

I'm guessing this provider definition code rules out the possibility of defaulting to the region configured in the SDK. It's a required field.

https://github.com/terraform-providers/terraform-provider-aws/blob/585897663c3f508c2d7a256aaa6798f1fa634698/aws/provider.go#L60-L69

[ewbankkit]

Similar:

• AWS Provider: support ~/.aws/config #186
• Terraform access to AWS credentials when using profiles #204

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.