Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Terraform fails to authenticate using STS temporary credentials - InvalidClientTokenId #6523

Closed
cabarria opened this issue May 6, 2016 · 11 comments · Fixed by #6536
Closed
Assignees

Comments

@cabarria
Copy link

cabarria commented May 6, 2016

I'm running Terraform v0.6.15. I have exported the following keys following an STS call for credentials:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN (Can use AWS_SECURITY_TOKEN as well)

the aws-cli works, but Terraform complains with the following:

Refreshing Terraform state prior to plan...

Error refreshing state: 1 error(s) occurred:

1 error(s) occurred:

InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id:

No matter what I do... I've tried AWS_TOKEN as the key as well, Terraform fails to use temporary credentials. If I use a Permanent Access Key and Secret Access Key it works. I thought this issue had been solved.

@cabarria
Copy link
Author

cabarria commented May 6, 2016

Looks like this is failing because the temporary credentials are being requested using the GetFederationToken API. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html

Those temporary credentials are not allowed to make IAM API or STS calls. There must be some code in Terraform checking for that regardless of whether the user intends to work with IAM or not.

I think this should be fixed... Terraform shouldn't presume to know that the credentials provided are not adequate to perform whatever actions the user needs.

@radeksimko
Copy link
Member

radeksimko commented May 8, 2016

Hi @cabarria
I was able to reproduce this. You're right in a way that Terraform currently uses iam:GetUser to validate credentials.

We may be able to swap this with a fairly new API endpoint sts:GetCallerIdentity which wasn't available before. It seems that this API method is always available, even in regions that have explicitly disabled STS support.

I need to confirm this is expected and correct behaviour w/ AWS support and then we should be good to make that change.

This also makes me think that our recent changes for allowed_account_ids & forbidden_account_ids won't work yet for federated accounts due to this validation we have in place. they will mostly work because credentials validation ignores certain error codes coming from iam:GetUser.

@radeksimko
Copy link
Member

radeksimko commented May 8, 2016

I just verified that sts:GetCallerIdentity works on EC2 instances too.

I also approached the AWS support in regards to disabled STS regions and the representative told me to wait until they hear confirmation back from the service team. I think I will prepare a PR in the meantime though.

@radeksimko
Copy link
Member

See PR that is fixing this at #6536

@cabarria
Copy link
Author

cabarria commented May 9, 2016

Thanks for the quick response!!!

@riponbanik
Copy link

is it being fixed on terraform v0.7.13. Stil having issue

export AWS_ACCESS_KEY=$aws_access_key
export AWS_SECRET_KEY=$aws_secret_key
export AWS_SECURITY_TOKEN=$aws_security_token

terraform apply -var ami_id=$ami_id -var aws_access_key=$aws_access_key -var aws_secret_key=$aws_secret_key -var aws_region=$AWS_DEFAULT_REGION

@lewismarshall
Copy link

lewismarshall commented Feb 3, 2017

Still having the issue in version v0.8.5 although it works with just terraform plan with skip_credentials_validation = true:

provider "aws" {
  access_key = ""
  secret_key = ""
  skip_credentials_validation = true
}

I'm using MFA and grabbing STS creds from:

local creds_json=$(aws sts assume-role --output json --role-arn ${role_arn} --profile ${profile} --role-session-name ${profile} )

export AWS_ACCESS_KEY_ID=$(echo ${creds_json} | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo ${creds_json} | jq -r '.Credentials.SecretAccessKey')
export AWS_SECURITY_TOKEN=$(echo ${creds_json} | jq -r '.Credentials.SessionToken')
export AWS_SESSION_EXPIRE=$(echo ${creds_json} | jq -r '.Credentials.Expiration')

Error:

Error applying plan:

1 error(s) occurred:

* aws_instance.example: Error launching source instance: AuthFailure: AWS was not able to validate the provided access credentials
       	status code: 401, request id: 25c3671f-2e13-4f02-a7ba-825d20ea441c

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure

@lewismarshall
Copy link

OK so It works without skip_credentials_validation once export AWS_SESSION_TOKEN="${AWS_SECURITY_TOKEN}" is also set!

@satyamuralidhar
Copy link

@kcd83
Copy link

kcd83 commented Oct 31, 2019

I think the use of AWS_SESSION_TOKEN instead of AWS_SECURITY_TOKEN could be documented here https://www.terraform.io/docs/providers/aws/index.html

But thanks for this, it resolved my issue

@ghost
Copy link

ghost commented Nov 1, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Nov 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants