PureDevOps Community

No valid credential sources found for AWS Provider : Terraform

#1

From the Hashicorp documentation , below is the resolution for the issue

Changes to Authentication

The authentication configuration for the AWS Provider has changed in this version to match the behavior of other AWS products, including the AWS SDK and AWS CLI. This will cause authentication failures in AWS provider configurations where you set a non-empty profile in the provider configuration but the profile does not correspond to an AWS profile with valid credentials.

Precedence for authentication settings is as follows:

  • provider configuration
  • Environment variables
  • Shared credentials and configuration files (e.g., ~/.aws/credentials and ~/.aws/config)

In previous versions of the provider, you could explicitly set profile in the provider, and if the profile did not correspond to valid credentials, the provider would use credentials from environment variables. Starting in v4.0, the Terraform AWS provider enforces the precedence shown above, similarly to how the AWS SDK and AWS CLI behave.

In other words, when you explicitly set profile in provider, the AWS provider will not use environment variables per the precedence shown above. Before v4.0, if profile was configured in the provider configuration but did not correspond to an AWS profile or valid credentials, the provider would attempt to use environment variables. This is no longer the case. An explicitly set profile that does not have valid credentials will cause an authentication error.

For example, with the following, the environment variables will not be used:

$ export AWS_ACCESS_KEY_ID="anaccesskey"
$ export AWS_SECRET_ACCESS_KEY="asecretkey"

provider "aws" {
  region  = "us-west-2"
  profile = "customprofile"
}

New Provider Arguments

Version 4.x adds these new provider arguments:

  • assume_role.duration - Assume role duration as a string, e.g., "1h" or "1h30s". Terraform AWS Provider v4.0.0 deprecates assume_role.duration_seconds and a future version will remove it.
  • custom_ca_bundle - File containing custom root and intermediate certificates. Can also be configured using the AWS_CA_BUNDLE environment variable. (Setting ca_bundle in the shared config file is not supported.)
  • ec2_metadata_service_endpoint - Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT environment variable.
  • ec2_metadata_service_endpoint_mode - Mode to use in communicating with the metadata service. Valid values are IPv4 and IPv6. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE environment variable.
  • s3_use_path_style - Replaces s3_force_path_style, which has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version.
  • shared_config_files - List of paths to AWS shared config files. If not set, the default is [~/.aws/config]. A single value can also be set with the AWS_CONFIG_FILE environment variable.
  • shared_credentials_files - List of paths to the shared credentials file. If not set, the default is [~/.aws/credentials]. A single value can also be set with the AWS_SHARED_CREDENTIALS_FILE environment variable. Replaces shared_credentials_file, which has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version.
  • sts_region - Region where AWS STS operations will take place. For example, us-east-1 and us-west-2.
  • use_dualstack_endpoint - Force the provider to resolve endpoints with DualStack capability. Can also be set with the AWS_USE_DUALSTACK_ENDPOINT environment variable or in a shared config file (use_dualstack_endpoint).
  • use_fips_endpoint - Force the provider to resolve endpoints with FIPS capability. Can also be set with the AWS_USE_FIPS_ENDPOINT environment variable or in a shared config file (use_fips_endpoint).

NOTE:

Using the AWS_METADATA_URL environment variable has been deprecated in Terraform AWS Provider v4.0.0 and support will be removed in a future version. Change any scripts or environments using AWS_METADATA_URL to instead use AWS_EC2_METADATA_SERVICE_ENDPOINT.

For example, in previous versions, to use FIPS endpoints, you would need to provide all the FIPS endpoints that you wanted to use in the endpoints configuration block:

provider "aws" {
  endpoints {
    ec2 = "https://ec2-fips.us-west-2.amazonaws.com"
    s3  = "https://s3-fips.us-west-2.amazonaws.com"
    sts = "https://sts-fips.us-west-2.amazonaws.com"
  }
}

In v4.0.0, you can still set endpoints in the same way. However, you can instead use the use_fips_endpoint argument to have the provider automatically resolve FIPS endpoints for all supported services:

provider "aws" {
  use_fips_endpoint = true
}

Note that the provider can only resolve FIPS endpoints where AWS provides FIPS support. Support depends on the service and may include us-east-1, us-east-2, us-west-1, us-west-2, us-gov-east-1, us-gov-west-1, and ca-central-1. For more information, see Federal Information Processing Standard (FIPS) 140-2.

Read More: Terraform Registry