[bug] AWS provider is not loading role_arn from CLI config file under each profile

[hashibot]

This issue was originally opened by @ju2wheels as hashicorp/terraform#14356. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform Version

0.9.4

Affected Resource(s)

• aws provider

Terraform Configuration Files

provider "aws" {}

# My resources here

In combinartion with ~/.aws/config:

[profile myprofile]
region = us-east-1
role_arn = arn:aws:iam::000000:role/admin

Expected Behavior

When I run my Terraform module with an empty AWS provider block, I expect that it will use the combination of environment variables and the AWS CLI configuration file profile without having to add an assume_role block with the role_arn property to the AWS provider

Running:

AWS_PROFILE=myprofile terraform apply

Actual Behavior

The Terraform AWS provider ignores the profile role specified in ~/.aws/config and runs it using the AWS credentials for the profile only resulting in it being put in the wrong role.

Steps to Reproduce

1. Create an AWS CLI config that leverages a role configured per AWS guide under a profile that also has its credentials configured in ~/.aws/credentials.
2. Specify the created profile name via AWS_PROFILE environment variable as shown above when running terraform.
3. Run apply on any AWS resource with an empty AWS provider block as shown above and the resource will not be created under the proper role as specified by the profile configuration. Instead the only way to get it to work is to add an assume_role block to the AWS provider.

[dsumsky]

Hello,
is there any progress in fixing this bug?
Thx

[dcalhoun]

@ju2wheels did you ever find a workaround for this issue? I am attempting to import an existing Route53 hosted zone and receiving similar permission errors.

[dcalhoun]

@ju2wheels you can ignore my request. It turns out my issue was likely unrelated. While attempting to import an existing Route53 record, I mistakenly used the Alias Hosted Zone ID (found on an individual record) instead of the Hosted Zone ID (found on the hosted zone).

[rolfwessels]

This bug still exists for me. I have not been able to figure out why but when we run Terraform in our docker container everything seems to work as expected. When I launch that same docker container as our main container in CircleCi then this bug presents itself.

I have a workaround using the provider but its gets to messy given that the roles change based on CI running it or developers running it.

provider "aws" {
  region  = "eu-west-1"
  # profile = "${local.this_is_production ? "production" : "development" }"
  # workaround for circle ci https://github.com/terraform-providers/terraform-provider-aws/issues/758
  profile = "master"
  assume_role {
    role_arn = "${local.this_is_production ? "arn:aws:iam::000000000000:role/deployer" : "arn:aws:iam::111111111111:role/deployer" }"
  }
}```

[aeschright]

Hi @ju2wheels and others! This will be fixed in the next release with the upgrade to aws-sdk-go-base@0.4.0. Per the AWS docs, if you specify role_arn in your profile you will also need source_profile or credential_source.

[bflad]

Closing as #10379 was merged previously and v2.32.0 has been released. 👍

[ghost]

This has been released in version 2.32.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[scalp42]

@aerostitch we just tested with 2.33.0 and it's still broken for us unfortunately, you can see our AWS config is correct:

$> AWS_SDK_LOAD_CONFIG=1 AWS_REGION=us-west-2 terraform plan                                                                                             

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.terraform_remote_state.shared_us_west_2_vpc_shared: Refreshing state...
data.terraform_remote_state.dev_us_west_2_vpc_dev: Refreshing state...
data.terraform_remote_state.prod_global: Refreshing state...
data.terraform_remote_state.prod_us_west_2: Refreshing state...
data.terraform_remote_state.shared_us_west_2: Refreshing state...
data.terraform_remote_state.global: Refreshing state...

Error: Error refreshing state: 1 error occurred:
	* provider.aws.prod-us-west-2: Error creating AWS session: CredentialRequiresARNError: credential type source_profile requires role_arn, profile bridge

provider "aws" {
  alias  = "prod-us-west-2"
  region = "us-west-2"

  version             = "= 2.33.0"
  profile             = "prod"
  allowed_account_ids = ["123456789"]
}

$> cat ~/.aws/config
[profile prod]
role_arn = arn:aws:iam::123456789:role/admin
role_session_name = anthony-prod
source_profile = bridge
region = us-west-2

[profile bridge]
source_profile = bridge
region = us-west-2

$> terraform --version                                                                                                                                   
Terraform v0.11.14
+ provider.aws v2.33.0

Your version of Terraform is out of date! The latest version
is 0.12.11. You can update by downloading from www.terraform.io/downloads.html

[aerostitch]

Hey @scalp42! Can you refresh my memory on why you're pinging me here please? (I have a really bad memory so it might be legitimate or you might just have made a typo and meant @aeschright maybe?)
Thanks for your help!
Joseph

[scalp42]

I totally made a typo @aerostitch sorry about that.

I can confirm it works now as I had an issue in the the aws config file as well

🎉

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!