-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terraform fails to authenticate using STS temporary credentials - InvalidClientTokenId #6523
Comments
Looks like this is failing because the temporary credentials are being requested using the GetFederationToken API. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Those temporary credentials are not allowed to make IAM API or STS calls. There must be some code in Terraform checking for that regardless of whether the user intends to work with IAM or not. I think this should be fixed... Terraform shouldn't presume to know that the credentials provided are not adequate to perform whatever actions the user needs. |
Hi @cabarria We may be able to swap this with a fairly new API endpoint I need to confirm this is expected and correct behaviour w/ AWS support and then we should be good to make that change.
|
I just verified that I also approached the AWS support in regards to disabled STS regions and the representative told me to wait until they hear confirmation back from the service team. I think I will prepare a PR in the meantime though. |
See PR that is fixing this at #6536 |
Thanks for the quick response!!! |
is it being fixed on terraform v0.7.13. Stil having issue export AWS_ACCESS_KEY=$aws_access_key terraform apply -var ami_id=$ami_id -var aws_access_key=$aws_access_key -var aws_secret_key=$aws_secret_key -var aws_region=$AWS_DEFAULT_REGION |
Still having the issue in version v0.8.5 although it works with just
I'm using MFA and grabbing STS creds from:
Error:
|
OK so It works without |
I think the use of AWS_SESSION_TOKEN instead of AWS_SECURITY_TOKEN could be documented here https://www.terraform.io/docs/providers/aws/index.html But thanks for this, it resolved my issue |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
I'm running Terraform v0.6.15. I have exported the following keys following an STS call for credentials:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN (Can use AWS_SECURITY_TOKEN as well)
the aws-cli works, but Terraform complains with the following:
Refreshing Terraform state prior to plan...
Error refreshing state: 1 error(s) occurred:
1 error(s) occurred:
InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id:
No matter what I do... I've tried AWS_TOKEN as the key as well, Terraform fails to use temporary credentials. If I use a Permanent Access Key and Secret Access Key it works. I thought this issue had been solved.
The text was updated successfully, but these errors were encountered: