-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
backend/s3: SSO Failures #34248
Comments
Thanks for the report, I've notified the team. |
@jordancparker - Could you share the s3 backend configuration block? |
Hi @jar-b, I have these in a tfbackend file, which i inject in with a simple. As mentioned all the authentication pieces are managed in awscli. I export the profile as an environment variable. So when the init is ran it identified the profile and the terraform version. But it seems to be looking for a cached file that does not exist. versions.tf
tfbackend
|
Hi @jordancparker, could you run The parameter |
Hi @gdavison, So comparing 1.16.3 and 1.16.4, the below two logs are not in 1.16.4. It would seem that its not aware it needs to request its cached credentials. [DEBUG] backend-s3.aws-base: HTTP Request Sent: aws.operation=GetRoleCredentials aws.service=SSO tf_backend.operation=Configure Are you not able to recreate this you're side? |
The cached credentials are local to the machine, so it doesn't make the API calls if it can't locate the cached credentials. Can you please share the logs here? |
Hi @gdavison , I cant share further than what i have above due to sensitivity, specially with the logs exporting authorization keys and certificate bundles. I unfortunately do not agree with the above statement, cached may be the wrong word. But doing a diff on the Debug logs. 1.6.3 - Is sending a HTTP Request to collect the GetRoleCredentials and Receiving them. |
Sorry, when you say
which statement do you mean? In 1.6.4, the error message includes, in part
This error is returned when the AWS SDK is not able to locate the cached SSO credentials on the local filesystem (https://github.com/aws/aws-sdk-go-v2/blob/435199fc01ab47020ab36dab07d8115e20687f73/credentials/ssocreds/sso_cached_token.go#L150). Since it can't find them, it's not making the HTTP request to the SSO API. In 1.6.3, it is able to find the cached credentials on the local filesystem, so it's making the HTTP request. So something has changed in how the AWS SDK is resolving the cached credentials file. |
Apologies, I may have misread the response on the caching of credentials. But I do agree, looking at the commits for this feature some of the versions have been bumped with the dependant packages. Do we think they have released a patch already, or changed the way in which the awscli config file is setup to interact with the go library? |
In your configuration file, does the As a workaround, you may be able to re-run Alternatively, re-run |
hi @gdavison, Just tested removing the Thanks for supporting and getting us onto the latest version with 1.6.4 !!! |
I have encountered the same problem in 1.6.4.(1.6.3 is ok) vim ~/.aws/config Remove the |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Version
Terraform Configuration Files
N/A
Debug Output
N/A
Expected Behavior
Backend to Authenticate
Actual Behavior
cannot obtain credentials
Steps to Reproduce
Terraform Init
Additional Context
Hi Terraform Team,
Upgraded to 1.6.4 version of terraform, when running an init, presented with No valid credentials. When downgrading back to 1.6.3 it works fine.
We do use aws sso for authentication. I have a feeling the latest bug was introduced in the below.
There is a chance this is not a bug and that there is just no documentation that can be found to identify the endpoints.sso, but i do question what the value is of this parameter when this is normally setup in the aws cli v2.
backend/s3: Add the parameter endpoints.sso to allow overriding the AWS SSO API endpoint. (#34195)
References
No response
The text was updated successfully, but these errors were encountered: