Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Unable to assume_role_with_web_identity for s3 backend #35996

Open
b4ird opened this issue Nov 13, 2024 · 1 comment
Open

[Bug]: Unable to assume_role_with_web_identity for s3 backend #35996

b4ird opened this issue Nov 13, 2024 · 1 comment
Labels
backend/s3 bug new new issue not yet triaged

Comments

@b4ird
Copy link

b4ird commented Nov 13, 2024

Terraform Version

1.7.5

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.75.1"
    }
  }
  backend "s3" {
    assume_role_with_web_identity {
      role_arn                = "arn:aws:iam::12345:role/my-role"
      web_identity_token_file = ".web-identity-token"
    }
  }
}

provider "aws" {
  region = var.aws_region

  assume_role_with_web_identity {
    role_arn                = "arn:aws:iam::54321:role/my-role"
    web_identity_token_file = ".web-identity-token"
  }
}

provider "aws" {
  alias  = "legacy"
  region = var.aws_region

  assume_role_with_web_identity {
    role_arn                = "arn:aws:iam::12345:role/my-role"
    web_identity_token_file = ".web-identity-token"
  }
}

Debug Output

https://gist.github.com/b4ird/4ca84515d3a501af8ddacd6397bd5621#file-gistfile1-txt

Expected Behavior

S3 backend should be inited successfully via OIDC role assumption

Actual Behavior

Fails to find credentials:

Error: failed to refresh cached credentials, no EC2 IMDS role found,
│ operation error ec2imds: GetMetadata, failed to get API token, operation
│ error ec2imds: getToken, http response error StatusCode: 400, request to
│ EC2 IMDS failed

Steps to Reproduce

Running terraform init with a similar setup

Additional Context

When switching the backend to local whilst keeping the existing provider config, the role assumption works. Given I'm able to assume the same account/role combination via the aws provider this rules out any OIDC trust relationship issues.

References

No response

@b4ird b4ird added bug new new issue not yet triaged labels Nov 13, 2024
@crw
Copy link
Collaborator

crw commented Nov 18, 2024

Thanks for this report! The S3 backend is managed by the AWS Provider team at HashiCorp, this issue has been put into their triage queue. Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backend/s3 bug new new issue not yet triaged
Projects
None yet
Development

No branches or pull requests

3 participants