[version 1.44] No valid credential sources found for AWS Provider

[cullenmcdermott]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.10.8

Affected Resource(s)

• provider.aws

Terraform Configuration Files

provider "aws" {
  region = "${var.region}"
}

Output

       Error: Error refreshing state: 1 error(s) occurred:

       * provider.aws: No valid credential sources found for AWS Provider.
       	Please see https://terraform.io/docs/providers/aws/index.html for more information on
       	providing credentials for the AWS Provider

Expected Behavior

I expected terraform to respect my AWS_PROFILE=saml environment variable. 1.43.2 works but when I change my provider to 1.44.0 it no longer respects the variable. aws CLI and Packer both work fine so I know my credentials are good.

Actual Behavior

The error above is produced

Steps to Reproduce

1. terraform apply

References

• [version 1.42] No valid credential sources found for AWS Provider. #6320 seems related

[makennedy-clgx]

Reverting to release -1 works as expected.

[geekbass]

Also seeing this issue. Reverting works as expected.

[bflad]

Hi folks 👋 Similar to #6320 this may be related to upstream AWS Go SDK changes as I'm not aware to any changes in the provider authentication. My recommendation is to turn on Terraform debug logging in your environment (e.g. TF_LOG=debug terraform plan) to see if the underlying error(s) cannot be found instead of our less helpful error here.

The only change upstream in this regard I'm aware of is aws/aws-sdk-go#2265

[cullenmcdermott]

Here's a gist with debug error output: https://gist.github.com/cullenmcdermott/9e2e7641fc3cc88117645e4e848901ff

When I run the same plan with 1.43.2 I see this in the debug output:

2018-11-14T14:00:07.554-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] No assume_role block read from configuration
2018-11-14T14:00:07.554-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] Building AWS region structure
2018-11-14T14:00:07.554-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] Building AWS auth structure
2018-11-14T14:00:07.554-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] Setting AWS metadata API timeout to 100ms
2018-11-14T14:00:07.788-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
2018-11-14T14:00:07.788-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] AWS Auth provider used: "SharedCredentialsProvider"
2018-11-14T14:00:07.789-0700 [DEBUG] plugin.terraform-provider-aws_v1.43.2_x4: 2018/11/14 14:00:07 [INFO] Initializing DeviceFarm SDK connection

It looks like for whatever reason 1.44 isn't looking at my shared credentials file?

[bflad]

Interesting, when I run it locally (I personally use AWS_PROFILE environment variable and ~/.aws/credentials shared credentials file), I'm able to see it being used:

2018-11-14T21:08:37.035-0500 [DEBUG] plugin.terraform-provider-aws_v1.45.0_x4: 2018/11/14 21:08:37 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
2018-11-14T21:08:37.041-0500 [DEBUG] plugin.terraform-provider-aws_v1.45.0_x4: 2018/11/14 21:08:37 [INFO] AWS Auth provider used: "SharedCredentialsProvider"
2018-11-14T21:08:37.041-0500 [DEBUG] plugin.terraform-provider-aws_v1.45.0_x4: 2018/11/14 21:08:37 [INFO] Initializing DeviceFarm SDK connection

My shared credentials is nothing special with a few profiles defined like below (actual content omitted of course!)

[profile-1]
aws_access_key_id = AKIA...
aws_secret_access_key = ...
region = us-east-1

[profile-2]
aws_access_key_id = AKIA...
aws_secret_access_key = ...
region = us-east-1
...

Maybe try eliminating parts of your shared credentials file to see if the change in the SDK parsing behavior is maybe incorrectly parsing/invalidating the whole file due to "bad" section(s)?

[enekofb]

Same issue here ...

* provider.aws.us-west-2: error validating provider credentials: error calling sts:GetCallerIdentity: NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

when using the latest version

provider "aws" {
  profile = "${var.profile}"
  region  = "us-east-1"
  alias   = "us-east-1"
  skip_metadata_api_check = "true"

}

Version 1.43.2 works fine

provider "aws" {
  version = "1.43.2"
  profile = "${var.profile}"
  region  = "us-east-1"
  alias   = "us-east-1"
  skip_metadata_api_check = "true"

}

[geekbass]

Same issue. Its ignoring the credentials in this release.

2018/11/14 16:16:18 [ERROR] root.dcos: eval: *terraform.EvalConfigProvider, err: No valid credential sources found for AWS Provider.
	Please see https://terraform.io/docs/providers/aws/index.html for more information on
	providing credentials for the AWS Provider
2018/11/14 16:16:18 [ERROR] root.dcos: eval: *terraform.EvalSequence, err: No valid credential sources found for AWS Provider.
	Please see https://terraform.io/docs/providers/aws/index.html for more information on
	providing credentials for the AWS Provider
2018/11/14 16:16:18 [ERROR] root.dcos: eval: *terraform.EvalOpFilter, err: No valid credential sources found for AWS Provider.
	Please see https://terraform.io/docs/providers/aws/index.html for more information on
	providing credentials for the AWS Provider
2018/11/14 16:16:18 [ERROR] root.dcos: eval: *terraform.EvalSequence, err: No valid credential sources found for AWS Provider.
	Please see https://terraform.io/docs/providers/aws/index.html for more information on
	providing credentials for the AWS Provider
2018/11/14 16:16:18 [DEBUG] plugin: waiting for all plugin processes to complete...

Error: Error refreshing state: 1 error(s) occurred:

* module.dcos.provider.aws: No valid credential sources found for AWS Provider.
	Please see https://terraform.io/docs/providers/aws/index.html for more information on
	providing credentials for the AWS Provider

Reverting to previous version is fine.

[cullenmcdermott]

@bflad Not sure if this matters but in your output it looks like you are using v1.45.0

[atkinsj]

I'm experiencing this on * provider.aws: version = "~> 1.45" as well.

[bshelton229]

In our case we narrowed this down to the fact we were using "pretty" formatting in our ini file. We generate a credentials file using short-lived tokens via tooling. Updating the tooling to not us pretty spacing fixed the issue with the newer aws sdk.

Example ini format that stopped working with the upgrade

[federated]
aws_access_key_id     = 123
aws_secret_access_key = 456
aws_session_token     = 789

[myprofile]
region         = us-east=1
role_arn       = arn:aws:iam::123456789:role/MyRole
source_profile = federated

Having the tooling stop doing pretty alignment allowed the new provider to work

[federated]
aws_access_key_id = 123
aws_secret_access_key = 456
aws_session_token = 789

[myprofile]
region = us-east-1
role_arn = arn:aws:iam::123456789:role/MyRole
source_profile = federated

Our tool was basically putting whitespace around the equals for alignment, which wasn't working with the new SDK.

[atkinsj]

Thanks @bshelton229, confirmed that resolves it for me as well.

[livingstaccato]

My team is using saml2aws and has run into this problem as well with both 1.44.0 and 1.45.0 of the aws provider.

Can confirm that, on MacOS, sed -i '' -E 's/ +/ /g' ~/.aws/credentials fixed the issue.

[sstarcher]

Same as @livingstaccato we use saml2aws and this causes terraform to be non-functional.

[pradeepbhadani]

faced similar issue and @livingstaccato solution fixed issue for me on Mac.

[cullenmcdermott]

Looks like the aws sdk maintainers already PR'd a fix for this(aws/aws-sdk-go#2282) so it should be available soon.

[bflad]

Once the AWS Go SDK is released with the fix (likely later today), we'll pull it in here to cut a release later today or tomorrow.

[makennedy-clgx]

Looks like their release is done. https://github.com/aws/aws-sdk-go/releases/tag/v1.15.79

[bflad]

Submitted the dependency update PR: #6524

[bflad]

The fix for this (AWS Go SDK update) is merged and will release with version 1.46.0 of the AWS provider, in a few minutes. 🚀

[bflad]

This has been released in version 1.46.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!