S3 backend on nonAWS implementation (OCI) not working in 1.6.3

[12345ieee]

Terraform Version

Terraform v1.6.1
on linux_amd64
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/oci v5.9.0
+ provider registry.terraform.io/oracle/oci v5.1.0

Terraform Configuration Files

Config that worked in v1.5.x:

  backend "s3" {
    bucket                      = "<BUCKET>"
    key                         = "<FILENAME>"
    region                      = "eu-frankfurt-1"
    endpoint                    = "https://<ID>.compat.objectstorage.eu-frankfurt-1.oraclecloud.com"
    shared_credentials_file     = "PATH/TO/FILE"
    skip_region_validation      = true
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    force_path_style            = true
  }

my attempt to port it to v1.6.1, guided by the init warnings, but still failing, skip_requesting_account_id didn't help at all:

  backend "s3" {
    bucket                      = "<BUCKET>"
    key                         = "<FILENAME>"
    region = "eu-frankfurt-1"
    endpoints = {
      s3 = "https://<ID>.compat.objectstorage.eu-frankfurt-1.oraclecloud.com"
    }
    shared_credentials_files    = ["PATH/TO/FILE"]
    skip_region_validation      = true
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    skip_requesting_account_id  = true
    use_path_style              = true
  }

Debug Output

See below

Expected Behavior

For my init to go through, like it did in tf 1.5.x with the old config.

In all honesty I'd have preferred not to need an init at all, but I can live with this.

Actual Behavior

The relevant log part is thankfully short:
$ TF_LOG=trace terraform init -reconfigure

[...]
2023-10-11T01:43:32.025+0200 [TRACE] backend-s3.aws-base: Resolving AWS configuration: tf_backend.operation=Configure tf_backend.req_id=4951b714-0978-3879-4889-51e8b4093226 tf_backend.s3.bucket=terraform-state tf_backend.s3.path=[REDACTED]
2023-10-11T01:43:32.025+0200 [DEBUG] backend-s3.aws-base: Resolving credentials provider: tf_backend.operation=Configure tf_backend.req_id=4951b714-0978-3879-4889-51e8b4093226 tf_backend.s3.bucket=terraform-state tf_backend.s3.path=[REDACTED]
2023-10-11T01:43:32.025+0200 [TRACE] backend-s3.aws-base: Building default HTTP client: tf_backend.operation=Configure tf_backend.req_id=4951b714-0978-3879-4889-51e8b4093226 tf_backend.s3.bucket=terraform-state tf_backend.s3.path=[REDACTED]
2023-10-11T01:43:32.025+0200 [DEBUG] backend-s3.aws-base: Loading configuration: tf_backend.operation=Configure tf_backend.req_id=4951b714-0978-3879-4889-51e8b4093226 tf_backend.s3.bucket=terraform-state tf_backend.s3.path=[REDACTED]
2023-10-11T01:43:32.025+0200 [DEBUG] backend-s3.aws-base: Retrieving credentials: tf_backend.operation=Configure tf_backend.req_id=4951b714-0978-3879-4889-51e8b4093226 tf_backend.s3.bucket=terraform-state tf_backend.s3.path=[REDACTED]
╷
│ Error: No valid credential sources found
│ 
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or
│ "AWS_EC2_METADATA_DISABLED" environment variable
│ 
╵

Steps to Reproduce

$ terraform init -reconfigure

Additional Context

The documentation at https://developer.hashicorp.com/terraform/language/settings/backends/s3 has not been updated, that didn't help.

References

• Terraform 1.6 want to migrate s3 backend state #34022
• Add skip_requesting_account_id Parameter to S3 Backend #34002

[hegerdes]

I can get it to initialize but apply and destroy fails to persist data to the backend. It creates some checksum content errors.

For testing i used hard-coded secrets:

  backend "s3" {
    bucket                      = "<BUCKET>"
    key                         = "<FILENAME>"
    region = "eu-frankfurt-1"
    endpoints = {
      s3 = "https://my-dell-s3.com"
    }
    access_key = "<MY_KEY>"
    secret_key = "<MY_SECRET>"
    skip_region_validation      = true
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    skip_requesting_account_id  = true
    use_path_style              = true
  }

As I said init works but plan and destroy fails with:

Error: Failed to save state

Error saving state: failed to upload state: operation error S3: PutObject, https response error StatusCode: 400, RequestID: 0a3d0687:189c57fbda4:59f00:c15, HostID:
081a966b5d23d91a6a72d9bcc2f38088d47ca56d8e6c7ee9b2c0055d044ae504, api error XAmzContentSHA256Mismatch: The Content-SHA256 you specified did not match what we received

Error: Failed to persist state to backend

The error shown above has prevented Terraform from writing the updated state to the configured backend. To allow for recovery, the state has been written to the file
"errored.tfstate" in the current working directory.

Running "terraform apply" again at this point will create a forked state, making it harder to recover.

To retry writing this state, use the following command:
    terraform state push errored.tfstate

Why does Terraform not check if it can successfully put an object (with content SHA check) before executing the entire plan. Either before apply or even better while doing init.

Honestly all these S3 related errors do not shine a good light on hashicorps testing processes. These are not some abstruse functions that do not work, its basic functionality.

[12345ieee]

I didn't try with hardcoded credentials because it's an hard requirement for me to have them in a file, but now I'm even less inclined to do more tests.

thanks for the warning @hegerdes

[mmeier86]

@hegerdes For what it's worth, I'm seeing the same error using Ceph's S3 compatible storage. Because @12345ieee seems to have a slightly different problem, I opened a separate bug at #34086.

[holms]

Same issue with digital ocean spaces:

terraform {
  backend "s3" {
    skip_region_validation      = true
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    skip_requesting_account_id  = true
    use_path_style              = true
    endpoints = {
      s3 = "https://fra1.digitaloceanspaces.com"
    }
    region                      = "fra1" // needed
    bucket                      = "thorauto-terraform"
    key                         = "terraform.tfstate"
   }
}

My log actually contains credentials and it's hard to cut it off as it's loads of them in that debug dump. When initializing terraform with TF_LOG=trace terraform init -reconfigure I've got this in the end:

2023-10-17T20:23:32.876-0400 [DEBUG] backend-s3: request failed with unretryable error https response error StatusCode: 404, RequestID: tx000004f34a2fd54a02d9e-00652f2584-bc9d9e76-fra1b, HostID: , NotFound: : tf_backend.operation=Get tf_backend.req_id=f5b7932f-5421-236a-d44a-872551a750e9 tf_backend.s3.bucket=thorauto-terraform tf_backend.s3.path=terraform.tfstate

404 in here which probably means it can read files, but when trying to do terraform apply I've got this:

holms@holms:~/Dev/thorauto/devops-terraform$ terraform apply

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
╷
│ Error: Failed to save state
│ 
│ Error saving state: failed to upload state: operation error S3: PutObject, https response error StatusCode: 400, RequestID: tx0000091e5bd9cbc728794-00652f2702-bc9dee4b-fra1b, HostID: bc9dee4b-fra1b-fra1-zg02, api error XAmzContentSHA256Mismatch: UnknownError
╵
╷
│ Error: Failed to persist state to backend
│ 
│ The error shown above has prevented Terraform from writing the updated state to the configured backend. To allow for recovery, the state has been written to the file "errored.tfstate" in the current working directory.
│ 
│ Running "terraform apply" again at this point will create a forked state, making it harder to recover.
│ 
│ To retry writing this state, use the following command:
│     terraform state push errored.tfstate
│ 
╵

[zeyad-sitech]

Same issue here...

[jar-b]

Unfortunately we are unable to test changes to the S3 backend against the various S3-compatible storage providers, though it is never our intention to break existing workflows. I would recommend raising this with the upstream providers as the behavior has been confirmed to work correctly with Amazon S3. As part of the S3 Backend maintenance we did move from using v1 of the AWS Go SDK to v2, specifically adopting the S3 Manager feature which improves performance on large state files. It's possible that these providers have not implemented this functionality. We may be able to help resolve these issues with more information from those provider teams, but at this time cannot commit to investigating further.

[hegerdes]

@jar-b Thanks for the statement but this is not a great perspective going forward.
It is totally clear that Hashicorp can't test against all of the existing S3 implementations but is not like there are problems with just one provider. Digital Ocean and Ceph are not some small vendors. We are also having problems with a system from Dell. Your comment implies that it wasn't testet against ANY other provider than aws, which (as you said) was not documented. The documentation just said that S3 works if the required permissions (put, list, etc) are fulfilled. It also looks like that there is not much interest in fixing this problem when pointing to the various S3 vendors - maybe it's because Hashicorp wants to push it's own cloud backend?
Version 1.6.x is just not usable for a lot of people. This kind of stuff and behavior is the reason why so many people want to see openTofu to succeed.

[crw]

@hegerdes Thanks for the feedback. For vendors which offer "S3-compatible" services, the burden of compatibility falls on those vendors. HashiCorp is supporting a backend for the AWS S3 service, and is leveraging the Golang AWS SDK to do so. As AWS updates its SDK, other competing services may fall behind on compatibility for some amount of time. We plan to update the S3 backend documentation to make this nuance of using the S3 backend more explicit.

I apologize for any frustration this may cause. Thanks again for your continued feedback on this issue!

[gdavison]

Hello everyone. @12345ieee's initial report was a failure due to failing authentication:

Error: No valid credential sources found

A number of other people have reported different errors with their use of "S3-compatible" services, all related to the error XAmzContentSHA256Mismatch. This is related to the ChecksumAlgorithm S3 API parameter that is required in some cases for S3 and recommended in others. It appears that most "S3-compatible" services either don't support the parameter or don't support setting certain values.

Typically, we ask for separate issues for separate problems. In this case, we already have several issues related to XAmzContentSHA256Mismatch, so that is not required.

[gdavison]

@12345ieee, can you please share your shared credentials file (with sensitive values blanked out)

[12345ieee]

Sure @gdavison , here you go:

[default]
aws_access_key_id = [REDACTED]
aws_secret_access_key = [REDACTED]

[rp-jasonp]

Seeing slightly different errors, following thread.

Hashicorp: Please revert changes to s3 backend provider, create s3_v2 provider or some such solution going forward.

We may look to accelerate moving our states to Artifactory.

terraform {
  backend "s3" {
    bucket                      = "<BUCKET>"
    key                         = "<STATE KEY>"
    region                      = "us-phoenix-1"
    endpoint                    = "https://<ID>.compat.objectstorage.us-phoenix-1.oraclecloud.com"
    skip_region_validation      = true
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    force_path_style            = true
  }
}

 Error: Retrieving AWS account details: AWS account ID not previously found and failed retrieving via all available methods. See https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id for workaround and implications. Errors: 2 errors occurred:
 │       * retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.us-phoenix-1.amazonaws.com/": dial tcp: lookup sts.us-phoenix-1.amazonaws.com: no such host
 │       * retrieving account information via iam:ListRoles: operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: <REQID from OCI> , api error InvalidClientTokenId: The security token included in the request is invalid.

[jar-b]

@rp-jasonp - you may also need to set the skip_requesting_account_id argument:

https://developer.hashicorp.com/terraform/language/settings/backends/s3#skip_requesting_account_id

[rp-jasonp]

No dice.

Post "https://sts.us-phoenix-1.amazonaws.com/":

Oracle's official doc reference: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformUsingObjectStore.htm

[gdavison]

@rp-jasonp, since this is a different problem from @12345ieee's (and not related to XAmzContentSHA256Mismatch), please open a separate issue.

[mark-wff]

Same error here:

terraform {
  backend "s3" {
    endpoints = {
      s3 = "https://fra1.digitaloceanspaces.com"
    }
    region = "fra1"
    bucket = ""
    key    = "key"
    secret_key = ""
    access_key = ""
    skip_region_validation = true
    skip_requesting_account_id = true
    skip_credentials_validation = true
    skip_metadata_api_check = true
  }

╷
│ Error: Error saving current state
│ 
│ Error: failed to upload state: operation error S3: PutObject, https response error StatusCode: 400, RequestID: tx0000082ece50911b02170-00653a0845-bc9d8cdc-fra1b, HostID: bc9d8cdc-fra1b-fra1-zg02, api error XAmzContentSHA256Mismatch: UnknownError
│ 
│ Terraform encountered an error attempting to save the state before cancelling the current operation. Once the operation is complete another attempt will be made to save the final state.

[frittentheke]

I recently ran into issues with mountpoint-s3 not working with Ceph RADOSGW with the XAmzContentSHA256Mismatch error being thrown. I know mountpoint-s3 is written in Rust ... but still it's a very current S3 library and likely AWS is doing something "new" here. Issue lives at: https://tracker.ceph.com/issues/63153

[vineelachavali]

I do use OCI and its failing with same latest error , can some one please look into it?

│
│   on variables.tf line 44, in terraform:
│   44:     force_path_style            = true
│
│ The parameter "force_path_style" is deprecated. Use parameter
│ "use_path_style" instead.
╵

╷
│ Error: Retrieving AWS account details: AWS account ID not previously found and failed retrieving via all available methods. See https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id for workaround and implications. Errors: 2 errors occurred:
│       * retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.ap-tokyo-1.amazonaws.com/": dial tcp: lookup sts.ap-tokyo-1.amazonaws.com: no such host
│       * retrieving account information via iam:ListRoles: operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: 73b70f40-d5ac-4a65-9d38-3c89ecaf96d7, api error InvalidClientTokenId: The security token included in the request is invalid.

[12345ieee]

I know it wasn't the aim of 1.6.3, but that didn't solve the issue on OCI (Oracle Cloud) Object Storage as well.
Updating the title, I'll bring this up with OCI support as well.

[yordis]

Any idea of what to do here? My setup just stopped working and I can't tell what do anymore. I seriously would appreciate any guidelines if you got it to work with Digital Ocean.

terraform 1.6.3

╷
Initializing modules...
│ Error: No valid credential sources found
│ 
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, no EC2 IMDS role found,
│ operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via
│ client option, or "AWS_EC2_METADATA_DISABLED" environment variable
│ 
╵

terraform {
  backend "s3" {
    bucket = "[REDACTED]"
    endpoints = {
      s3 = "https://nyc3.digitaloceanspaces.com"
    }
    key                         = "[REDACTED]/terraform.tfstate"
    region                      = "us-east-1"
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    skip_requesting_account_id  = true
    skip_s3_checksum            = true
    skip_region_validation      = true
  }
}

---

I am really disliking Hashicorp comment.

I am not even a Ops dev so I can not afford such breaking changes when I have the very minimal skills to get things done, and I can't give up with such horrific way to treat the ecosystem to say the least. Really lazy to blame others for your failures.

I do not appreciate it a bit!

[crw]

Hi @yordis, thank for your comment. Just a reminder to please follow the Community Guidelines when posting.

As a quick suggestion, unless you specifically needed one of the new features from 1.6, you can continue to use 1.5.7 where your old config will continue to work.

[holms]

Any idea of what to do here? My setup just stopped working and I can't tell what do anymore. I seriously would appreciate any guidelines if you got it to work with Digital Ocean.

terraform 1.6.3

╷
Initializing modules...
│ Error: No valid credential sources found
│ 
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, no EC2 IMDS role found,
│ operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via
│ client option, or "AWS_EC2_METADATA_DISABLED" environment variable
│ 
╵

terraform {
  backend "s3" {
    bucket = "[REDACTED]"
    endpoints = {
      s3 = "https://nyc3.digitaloceanspaces.com"
    }
    key                         = "[REDACTED]/terraform.tfstate"
    region                      = "us-east-1"
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    skip_requesting_account_id  = true
    skip_s3_checksum            = true
    skip_region_validation      = true
  }
}

I am really disliking Hashicorp comment.

I am not even a Ops dev so I can not afford such breaking changes when I have the very minimal skills to get things done, and I can't give up with such horrific way to treat the ecosystem to say the least. Really lazy to blame others for your failures.

I do not appreciate it a bit!

I'm also furious in here, so I've contacted digital ocean regarding how they gonna deal with this. They said they gonna try to fix api on their side so that it would work with latest terraform. I believe we need to create a ticket for them in digitalocean/terraform-provider-digitalocean repo. Also I've asked for the update by email just now as they had internal discussion about this for the last couple of weeks.

[holms]

Hi @yordis, thank for your comment. Just a reminder to please follow the Community Guidelines when posting.

As a quick suggestion, unless you specifically needed one of the new features from 1.6, you can continue to use 1.5.7 where your old config will continue to work.

If people are furious, I believe something should be done about this. It's absolutely unacceptable to avoid backward compatibility in such manner. Also it's quite sad that hashicorp doesn't partner with top10 biggest cloud providers so they could adapt to upcoming changes, before executing such drastic changes which breaks everyone's infrastructure. And I speak about companies who has 10th of millions turnover per month.

Our company needs infrastructure tests from latest version and I can't stick to the older one. Now I've split states and using different version on each of it with help of docker which is a real pain. But this will do for a while. But the policies which hashicorp is using doesn't play well with IT market. That's not how open source works especially when so many companies are dependent on you. Also who made a decision to rely on aws sdk for s3 remote states anyway? Use openstack as a baseground for s3, and everything will work everywhere.

[holms]

Ok here's update from Digital ocean:

A change has been merged into TF that should obviate this problem: #34130
The release for that change was TF v1.6.3 (according to the description), which happened on the 1st of November.

[frittentheke]

On the Ceph RADOSGW side (which is the software that quite a lot of non-AWS S3 services use) there already are plans to implement the missing feature for the upcoming version: https://tracker.ceph.com/issues/63153#note-8

[sosiskin2000]

+1 for OCI, after apply

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
╷
│ Error: Failed to save state
│ 
│ Error saving state: failed to upload state: operation error S3: PutObject, https response error StatusCode: 400, RequestID: lhr-1:cZsaCiYlaGoJrJ-pwZOI8Yqi_XIk71-YxVnQphsaqSO8Y6FXtsmsD5NxKMhYEFED, HostID: , api error InvalidArgument:
│ x-amz-content-sha256 must be UNSIGNED-PAYLOAD or a valid sha256 value.
╵
╷
│ Error: Failed to persist state to backend
│ 
│ The error shown above has prevented Terraform from writing the updated state to the configured backend. To allow for recovery, the state has been written to the file "errored.tfstate" in the current working directory.
│ 
│ Running "terraform apply" again at this point will create a forked state, making it harder to recover.
│ 
│ To retry writing this state, use the following command:
│     terraform state push errored.tfstate

[matkovskiy]

Hello.
To fix this add skip_s3_checksum = true to terraform backend configuration.
Configuration which works for me
terraform { backend "s3" { bucket = "BUCKET_NAME" region = "REGION" key = "tf.tfstate" skip_region_validation = true skip_credentials_validation = true skip_requesting_account_id = true use_path_style = true insecure = true skip_metadata_api_check = true skip_s3_checksum = true access_key = "XXXXXX" secret_key = "YYYYYYYYYY" endpoints = { s3 = "https://ID.compat.objectstorage.REGION.oraclecloud.com" } } }

P.s. access_key secret_key just for demo, don't use it in real environment

P.p.s from #34086

[sosiskin2000]

To fix this add skip_s3_checksum = true to terraform backend configuration.

Works for me, thank you.

[jeliker]

I got it working with 1.6.6 and OCI. Essentially these…

  skip_credentials_validation = true
  skip_region_validation      = true
  skip_requesting_account_id  = true
  skip_metadata_api_check     = true
  skip_s3_checksum            = true
  use_path_style              = true

Note that I don't set profile' or shared_credential_filesbut instead have my credentials in default~/.aws/credentialsand I set environment variableAWS_PROFILE`.

Otherwise, critical for me was that I found the error also occurs if you have a remote state reference. You need those additions as well there. Your error about STS is probably directly related to missing skip_requesting_account_id.

data "terraform_remote_state" "remote" {
  backend = "s3"

  config = {
    bucket   = "devops"
    key      = "tfstate/terraform.tfstate"
    region   = "us-phoenix-1"
    endpoints = {
      s3 = "https://[REDACTED].compat.objectstorage.us-phoenix-1.oraclecloud.com"
    }

    skip_credentials_validation = true
    skip_region_validation      = true
    skip_requesting_account_id  = true
    skip_metadata_api_check     = true
    skip_s3_checksum            = true
    use_path_style              = true
  }
}

Seeing slightly different errors, following thread.

Hashicorp: Please revert changes to s3 backend provider, create s3_v2 provider or some such solution going forward.

We may look to accelerate moving our states to Artifactory.

terraform {
  backend "s3" {
    bucket                      = "<BUCKET>"
    key                         = "<STATE KEY>"
    region                      = "us-phoenix-1"
    endpoint                    = "https://<ID>.compat.objectstorage.us-phoenix-1.oraclecloud.com"
    skip_region_validation      = true
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    force_path_style            = true
  }
}

Error: Retrieving AWS account details: AWS account ID not previously found and failed retrieving via all available methods. See https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id for workaround and implications. Errors: 2 errors occurred:
│       * retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.us-phoenix-1.amazonaws.com/": dial tcp: lookup sts.us-phoenix-1.amazonaws.com: no such host
│       * retrieving account information via iam:ListRoles: operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: <REQID from OCI> , api error InvalidClientTokenId: The security token included in the request is invalid.

[gantta]

Encountered this with Terraform version v1.7.4 as well.

❯ terraform version
Terraform v1.7.4
on darwin_arm64
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/oracle/oci v5.30.0

Using OCI for remote state S3 backend and Oracle's documentation, I encountered the same surprising error message AFTER terraform apply created the resources:

╷
│ Error: Failed to save state
│ 
│ Error saving state: failed to upload state: operation error S3: PutObject, https response error StatusCode: 400, RequestID:
│ iad-1:B9UETKCkS7JqOriMsjfljnZXgJ_Nh6nqtl3R-VgJB5zhfj6mZueR-Vm_xviWX-e1, HostID: , api error InvalidArgument: x-amz-content-sha256
│ must be UNSIGNED-PAYLOAD or a valid sha256 value.
╵
╷
│ Error: Failed to persist state to backend
│ 
│ The error shown above has prevented Terraform from writing the updated state to the configured backend. To allow for recovery, the
│ state has been written to the file "errored.tfstate" in the current working directory.
│ 
│ Running "terraform apply" again at this point will create a forked state, making it harder to recover.
│ 
│ To retry writing this state, use the following command:
│     terraform state push errored.tfstate
│ 
╵

Reading through the comments above, I added the skip_s3_checksum = true configuration and was able to successfully reconfigure the backend and upload the errored statefile:

❯ terraform init -reconfigure

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Reusing previous version of hashicorp/null from the dependency lock file
- Reusing previous version of oracle/oci from the dependency lock file
- Using previously-installed hashicorp/null v3.1.0
- Using previously-installed oracle/oci v5.30.0

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

❯ terraform state push errored.tfstate

And I can verify the state file is now present in my OCI bucket.

> oci os object list -ns <my-bucket-namespace> -bn <my-bucket>                                                      
{
  "data": [
    {
      "archival-state": null,
      "etag": "da5b84c7-d80f-4fb1-b68c-14352985a975",
      "md5": "PFvsKR2ny4ahwFY481W6KA==",
      "name": "tf-landing-zone.tfstate",
      "size": 5432,
      "storage-tier": "Standard",
      "time-created": "2024-03-07T07:14:39.992000+00:00",
      "time-modified": "2024-03-07T07:14:39.992000+00:00"
    }
  ],
  "prefixes": []
}

[frittentheke]

On the Ceph RADOSGW side (which is the software that quite a lot of non-AWS S3 services use) there already are plans to implement the missing feature for the upcoming version: https://tracker.ceph.com/issues/63153#note-8

The missing checksum features / bugfixes were merged to Ceph master three weeks ago: ceph/ceph#54856. It's also planned to backport them to the Reef and Quincy releases, but that is still ongoing.

[noprobsdk]

Hi

Im using TF/OCI, and I encounted this error today. Worked fine yesterday..

Error: Failed to get existing workspaces: Unable to list objects in S3 bucket "-terraform-state-": operation error S3: ListObjectsV2, https response error StatusCode: 403, RequestID: fra-1:pWnsaVPzVkERWDRo*************RY3eb8kjAEbaajwyCvRZFjSzksi, HostID: , api error SignatureDoesNotMatch: The secret key required to complete authentication could not be found. The region must be specified if this is not the home region for the tenancy.

My backend.tf:

terraform {
backend "s3" {
bucket = "-terraform-state-*"
key = "./terraform.tfstate"
region = "eu-frankfurt-1"
endpoints = {s3 = "https://frm**crv.compat.objectstorage.eu-frankfurt-1.oraclecloud.com"}
shared_credentials_files = ["~/.oci/aws_s3_compatible_credentials"]
skip_region_validation = true
skip_credentials_validation = true
skip_metadata_api_check = true
use_path_style = true
skip_requesting_account_id = true
skip_s3_checksum = true
}
}

Tried everything, also old backend.tf with TF v1.5.x

All development has stopped, as we cant deploy. Oracle Support says they have several reports on this.

[patilak1]

Hello.
To fix this add skip_s3_checksum = true to terraform backend configuration.
Configuration which works for me
terraform { backend "s3" { bucket = "BUCKET_NAME" region = "REGION" key = "tf.tfstate" skip_region_validation = true skip_credentials_validation = true skip_requesting_account_id = true use_path_style = true insecure = true skip_metadata_api_check = true skip_s3_checksum = true access_key = "XXXXXX" secret_key = "YYYYYYYYYY" endpoints = { s3 = "https://ID.compat.objectstorage.REGION.oraclecloud.com" } } }

P.s. access_key secret_key just for demo, don't use it in real environment

P.p.s from #34086

How to refer this access key and secret key from GitHub ontime runner file i.e /.AWS/credentials file here ... It tried directly by echo keys but it didn't work.. can pls suggest what could be the configuration in main.tf and in workflow for the backend

[patilak1]

Hello.
To fix this add skip_s3_checksum = true to terraform backend configuration.
Configuration which works for me
terraform { backend "s3" { bucket = "BUCKET_NAME" region = "REGION" key = "tf.tfstate" skip_region_validation = true skip_credentials_validation = true skip_requesting_account_id = true use_path_style = true insecure = true skip_metadata_api_check = true skip_s3_checksum = true access_key = "XXXXXX" secret_key = "YYYYYYYYYY" endpoints = { s3 = "https://ID.compat.objectstorage.REGION.oraclecloud.com" } } }
P.s. access_key secret_key just for demo, don't use it in real environment
P.p.s from #34086

How to refer this access key and secret key from GitHub ontime runner file i.e /.AWS/credentials file here ... It tried directly by echo keys but it didn't work.. can pls suggest what could be the configuration in main.tf and in workflow for the backend

terraform {
backend "s3" {
bucket = "xxx"
key = "xx"
region = "xxxx"
skip_region_validation = true
skip_credentials_validation = true
skip_metadata_api_check = true
skip_requesting_account_id = true
use_path_style = true
skip_s3_checksum = true
access_key = "/.aws/credentials"
secret_key = "/.aws/credentials"
endpoints = { s3 = "xxxx" }
}
}
+++++
In github workflow

• name: 'Configure default profile'
  shell: bash
  run: |
  mkdir /.aws
  echo "[default]">>/.aws/credentials
  echo access_key="$AWS_ACCESS_KEY_ID" >> ~/.aws/credentials
  echo secret_key="$AWS_SECRET_ACCESS_KEY" >> ~/.aws/credentials
  chmod ugo+rwx /.aws/credentials
  Getting Error in Terraform init
  Error: Failed to get existing workspaces: Unable to list objects in S3 bucket "***": operation error S3: ListObjectsV2, https response error StatusCode: 400, RequestID: arn-1:1xxxxxx, HostID: , api error AuthorizationHeaderMalformed: Unable to parse Authorization header AWS4-HMAC-SHA256 Credential=/.aws/credentials/20240311/***/s3/aws4_request, SignedHeaders=accept-encoding;amz-sdk-invocation-id;host;x-amz-content-sha256;x-amz-date, Signature=4xxxxx

[noprobsdk]

Hi, OCI must have something, as it works now :) Both TF's on 1.5.x and 1.6.x

[patilak1]

Hi, OCI must have something, as it works now :) Both TF's on 1.5.x and 1.6.x

could you possibly share me the reference code for configuration, it is working if i put give the secret key and access key values directly in backend configuration, but that doesn't seems to be feasible way, can someone pls guide me, how values can be refereed for access key and secrete key

[jeliker]

I have credentials defined in ~/.aws/credentials under a certain profile (I manage multiple tenancies so have many profiles). Then I configure S3 state storage like this:

terraform {
  backend "s3" {
    bucket    = "devops"
    key       = "tfstate/terraform.tfstate"
    region    = "us-ashburn-1"
    endpoints = { s3 = "https://REDACTED.compat.objectstorage.us-ashburn-1.oci.customer-oci.com" }

    skip_region_validation      = true
    skip_credentials_validation = true
    skip_requesting_account_id  = true
    skip_metadata_api_check     = true
    skip_s3_checksum            = true
    use_path_style              = true
  }
}

I ensure environment variable AWS_PROFILE is set to the profile I need and run terraform init -reconfigure. After that all is good!

Also ensure you use the same backend content above in the config portion of any remote state data sources.

[12345ieee]

I can confirm this style works now, on 1.7.4:

  backend "s3" {
    bucket = "[REDACTED]"
    key    = "[REDACTED]"
    region = "eu-frankfurt-1"
    endpoints = {
      s3 = "https://[REDACTED].compat.objectstorage.eu-frankfurt-1.oraclecloud.com"
    }
    profile = "[REDACTED]"
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    skip_region_validation      = true
    skip_requesting_account_id  = true
    skip_s3_checksum            = true
    use_path_style              = true
  }

using the default credentials file, but no env vars.

[noprobsdk]

I have the same problem again.. Wrote to Oracle support

Error: error loading state: SignatureDoesNotMatch: The secret key required to complete authentication could not be found. The region must be specified if this is not the home region for the tenancy.
│ status code: 403, request id: fra-1:wfAdQHeRFTrVkHzIt_btw4r-CfDKvQEdTuv6w3BS4dbfqOXPg_2-DPgZ46ri3yIG, host id:

[vadymkiz]

I have the same problem again.. Wrote to Oracle support

Error: error loading state: SignatureDoesNotMatch: The secret key required to complete authentication could not be found. The region must be specified if this is not the home region for the tenancy. │ status code: 403, request id: fra-1:wfAdQHeRFTrVkHzIt_btw4r-CfDKvQEdTuv6w3BS4dbfqOXPg_2-DPgZ46ri3yIG, host id:

me too, it appears absolutely randomly
even s3 cli doesn't work

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.