error configuring S3 Backend: no valid credential sources for S3 Backend found.

[rjtshrm]

Terraform Version

1.3.6

AWS CLI Version

aws-cli/2.9.12 Python/3.11.1 Darwin/22.2.0 source/arm64 prompt/off

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.30.0"
    }
  }
  backend "s3" {
    bucket         = "terraform-state-int"
    key            = "key/"
    region         = aws-region
    profile = "int"
  }
  required_version = ">= 1.1.0"
}

Debug Output

No relevant debug output except the few lines below (Actual Behaviour)

Expected Behavior

Should have applied initial config and download plugins

Actual Behavior

Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.
│
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│
│ Error: SSOProviderInvalidToken: the SSO session has expired or is invalid
│ caused by: open /Users/rsharma/.aws/sso/cache/9ceab8b92e009ecc15fdc2be3fe58963c97c5870.json: no such file or directory
│

Steps to Reproduce

1. terraform init

Additional Context

I have set up and created aws sso profile. I can access aws s3 buckets using that profile aws s3 ls --profile PROFILE_NAME. I can also see json files in .aws/sso/cache and .aws/cli/cache. However, with terraform init, it couldn't file the the particular session

References

No response

[rjtshrm]

I happen to solve the issue by downgrading aws cli to v2.4.11. When I did aws configure sso, it created the 9ceab8b92e009ecc15fdc2be3fe58963c97c5870.json json token for temporary access in the .aws/sso/cache folder.

I have no idea why the name is different when using latest version of aws cli and thus it failing the terraform init because it is looking for that specific file name only.

[crw]

Thanks for this report!

[dustinbrown]

Thank you for submitting this, I'm experiencing the same problem. Downgrading from 2.9.15 -> 2.4.11 also resolved this issue for me. I didn't try other versions so I'm not sure if the problem started after 2.4.11.

[gpetras]

Also had this problem on aws-cli 2.9.14. I was able to resolve the issue with aws-cli 2.9.16.

[dangets]

The latest aws cli version that worked for me was 2.7.31.

aws cli 2.7.32 - 2.8.x - breaks on aws sso login command

21:05:19 ❯ aws sso login --profile bb-alpha

Inline SSO configuration and sso_session cannot be configured on the same profile.

aws cli 2.9.0-2.9.20 - aws sso login works, but terraform plan does not

21:11:48 ❯ tf plan
╷
│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│ 
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, the SSO session has expired or is invalid: open /Users/danget/.aws/sso/cache/c777c5264364f423c5a5bf7de842d3982cdbf67d.json: no such file or directory
│ 

2 notes:

• the c777c526...bf67d.json file that terraform is looking for exists when logging in with 2.7.31 but there are different named .json files with the 2.9.x versions. Maybe the hashing changed?
• The format of the ~/.aws/sso/*.json files have different keys (output generated via file.json | jq 'keys'

v2.9.x
[
  "clientId",
  "clientSecret",
  "expiresAt",
  "scopes"
]

v2.7.31
[
  "accessToken",
  "expiresAt",
  "region",
  "startUrl"
]

[cheethoe]

aws cli 2.7.32 - 2.8.x - breaks on aws sso login command

21:05:19 ❯ aws sso login --profile bb-alpha

Inline SSO configuration and sso_session cannot be configured on the same profile.

I also got this when sso_session was configured in the ~/.aws/config profile I was trying to login to. Removing that line from the config made the login work with 2.8.13

[bennysp]

Any updates on this? Having the same issue with this.

AWS: aws-cli/2.11.0
Terraform: v1.3.9

[Raboo]

Hi for me the error message is slightly different.

│ Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.
│
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│ 	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Terraform v1.4.2
on darwin_arm64

But the problem seems to be the same, it occurs when I use aws sso, ex aws sso login --sso-session mysession.

[wdbasson]

I'm experiencing the same issue.

Terraform v1.4.2 on darwin_arm64
aws-cli/2.11.4 Python/3.11.2 Darwin/22.3.0 source/arm64 prompt/off

[wdbasson]

I'm experiencing the same issue.

Terraform v1.4.2 on darwin_arm64 aws-cli/2.11.4 Python/3.11.2 Darwin/22.3.0 source/arm64 prompt/off

I deleted all occurrences of the profile in ~/.aws/config

I think it is the SSO session name that isn't compatible.

It's working now on those same versions.

[brentvollebregt]

I was also seeing this issue,

Error: failed to refresh cached credentials, the SSO session has expired or is invalid: open C:\Users\USER\.aws\sso\cache\87958b97ea0cb84f63699e5287c738dae832ba73.json: The system cannot find the file specified.

I removed sso_session from my target profile, signed back in using aws sso login --sso-session {target sso-session} and terraform is working again.

I'm running:

• aws-cli/2.11.4 Python/3.11.2 Windows/10 exe/AMD64 prompt/off
• Terraform v1.4.2

[Raboo]

But how does that profile know which session to use or to use an sso session at all?

[KarlCF]

Also running into the same issues:

• Terraform v1.3.8 on darwin_arm64
• aws-cli/2.11.5 Python/3.11.2 Darwin/22.3.0 exe/x86_64 prompt/off

Using brent's recommendation worked for now:
#32448 (comment)

[B-Howell]

I was experiencing the same issue and reverted to the cli v2.4.11 and it worked.

[yovko-mytaverse]

Same issue here:

MacOS 13.3.1 M1
aws-cli/2.11.11 Python/3.11.3 Darwin/22.4.0 source/arm64 prompt/off

╷
│ Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.
│
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│
│ Error: SSOProviderInvalidToken: the SSO session has expired or is invalid
│ caused by: open /Users/username/.aws/sso/cache/7ad....0ebf54.json: no such file or directory

[nickyfoster]

I've got the same issue on Mac Book Pro

System: Apple M1 Pro, macOS 13.3.1 (22E261))
Terraform: v1.4.4
aws-cli: aws-cli/2.11.11 Python/3.11.2 Darwin/22.4.0 exe/x86_64 prompt/off

My ~/.aws/config is:

sso_account_id = 1234
sso_role_name = AdminRole
region = us-west-1
output = json
sso_session = example-session
[sso-session example-session]
sso_start_url = https://1234.awsapps.com
sso_region = us-west-1
sso_registration_scopes = sso:account:access

For anyone experiencing this issue I have the following fix:

• Comment the following line:

#sso_session = example-session
#[sso-session example-session]

• Refresh token with:

aws sso logout && aws sso login --profile exaple

[dongho-jung]

there are two types of aws config for SSO

• legacy config <- this works with terraform

  • a lot of redundancy, but it works!

• (just) config <- this doesn't work with terraform ... :(

  • neat and simple, but it doesn't work with terraform..

You can refer to this AWS Doc

[sjparkinson]

• (just) config <- this doesn't work with terraform ... :(

It looks like this is down to the AWS SDK used by Terraform, and relates to aws/aws-sdk-go#4649.

Thanks for your suggestion @0xF4D3C0D3, using the legacy config format works.

[eggsy84]

I found the following to work ok

• Usual aws sso login --profile <PROFILE>
• adding the sso_start_url and the sso_region to the profile in the ~/.aws/config
• Removing (or commenting) the sso_session from the corresponding profile in the ~/.aws/config

[dongho-jung]

I found the following to work ok

• Usual aws sso login --profile <PROFILE>
• adding the sso_start_url and the sso_region to the profile in the ~/.aws/config
• Removing (or commenting) the sso_session from the corresponding profile in the ~/.aws/config

Unfortunately, this doesn't solve the essential problem that the AWS Go SDK, which Terraform relies on, supports only the legacy AWS config. What's the problem with the legacy config? It doesn't support automatic token refresh. So, we need to execute aws sso login every time the session expires. I do hope that the AWS Go SDK will support the new AWS config soon.

[gjemp]

my 5c to that problem. I was using cli commands but within editor ( IDEA IntelliJ 2023.1.2 ) and editor AWS plugin profile is not set by running command line profile change commands. I had manually to pick new profile, do the sso login and then all started to work for that particular profile.
Also until the editor plugin profile was not changed command line in Win terminal showed same error, after profile change all started to work there also.

[omerls-pw]

I have the same issue and the only thing that worked is copying an existing one to the one terraform is looking for:

cp /Users/user/.aws/sso/cache/7505d64a*****.json /Users/user/.aws/sso/cache/395b71ba*****.json

[omerls-pw]

Another issue that happened:
terraform doesn't work with sso-session, only with the old format of profiles.

I had to modify my config file from

[default]
sso_session = default
sso_account_id = [account-id]
sso_role_name = AdministratorAccess
region = us-east-1
output = json
sso_region = us-region-1
sso_start_url = https://[account-id-login].awsapps.com/start#/
sso_cache_duration = 0

[sso-session default]
sso_start_url = https://[account-id-login].awsapps.com/start#/
sso_registration_scopes = sso:account:access
sso_region = us-region-1

TO

[default]
sso_start_url = https://[account-id-login].awsapps.com/start
sso_region = us-region-1
sso_account_id = [account-id]
sso_role_name = AdministratorAccess
region = us-region-1
output = json

And I no longer getting

│ Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.
│ 
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│ 
│ Error: SSOProviderInvalidToken: the SSO session has expired or is invalid

[Jlrine2]

cp /Users/user/.aws/sso/cache/7505d64a*****.json /Users/user/.aws/sso/cache/395b71ba*****.json

Thanks for the hint, I created a symlink on mine ln <existing>.json <target>.json

[gimbo]

Looks like the upstream issue is on its way to being resolved with this PR. 🙏

[gimbo]

The upstream fix is in: aws-sdk-go Release v1.44.298 (2023-07-07)

[stephencattaneo]

Curious to know where this is on Hashicorp's priorities / when will this get fixed in TF?

If you fresh install the latest awscli + terraform then try to authentication with an AWS SSO session (AWS preferred way of authenticating) terraform can't authenticate without manually editing AWS files which is not obvious.

[crw]

The linked issues have more details; additionally, over the next few releases, the AWS SDK dependency is being updated to version 2.x.

[gdavison]

This will be addressed in Terraform v1.6. If you still see this error when v1.6 is released (or you try any of the v1.6 beta releases), please open a new issue

[gdavison]

This will be addressed in Terraform v1.6. If you still see this error when v1.6 is released (or you try any of the v1.6 beta releases), please open a new issue

[SaiTejaMakani]

We got the same issue with tf 1.5.7 and sam 2.13.26. Then our dev upgraded to 1.6+ it is resolved. We are still on our toes though.

[johnwesley]

This will be addressed in Terraform v1.6. If you still see this error when v1.6 is released (or you try any of the v1.6 beta releases), please open a new issue

Thank you!

[sonalsinghai]

I was also seeing this issue,

Error: failed to refresh cached credentials, the SSO session has expired or is invalid: open C:\Users\USER\.aws\sso\cache\87958b97ea0cb84f63699e5287c738dae832ba73.json: The system cannot find the file specified.

I removed sso_session from my target profile, signed back in using aws sso login --sso-session {target sso-session} and terraform is working again.

I'm running:

• aws-cli/2.11.4 Python/3.11.2 Windows/10 exe/AMD64 prompt/off
• Terraform v1.4.2

For me the issue was latest version of terraform 1.6.4. After downgrading the error went away.
I now have these versions:

• aws-cli/2.13.38 Python/3.11.6 Linux/6.2.0-37-generic exe/x86_64.ubuntu.22 prompt/off
• Terraform v1.3.0

[futurebenmorris]

For me, running awscli 2.14.2 and terraform cli 1.6.5 works off the bat. Both the latest versions as of writing, but using legacy sso config as referenced above

there are two types of aws config for SSO

• legacy config <- this works with terraform

  • a lot of redundancy, but it works!

• (just) config <- this doesn't work with terraform ... :(

  • neat and simple, but it doesn't work with terraform..

You can refer to this AWS Doc

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.