Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Unable to assume_role_with_web_identity for s3 backend #35996

Open
b4ird opened this issue Nov 13, 2024 · 0 comments
Open

[Bug]: Unable to assume_role_with_web_identity for s3 backend #35996

b4ird opened this issue Nov 13, 2024 · 0 comments
Labels
backend/s3 bug new new issue not yet triaged

Comments

@b4ird
Copy link

b4ird commented Nov 13, 2024
edited
Loading

Terraform Version

1.7.5

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.75.1"
    }
  }
  backend "s3" {
    assume_role_with_web_identity {
      role_arn                = "arn:aws:iam::12345:role/my-role"
      web_identity_token_file = ".web-identity-token"
    }
  }
}

provider "aws" {
  region = var.aws_region

  assume_role_with_web_identity {
    role_arn                = "arn:aws:iam::54321:role/my-role"
    web_identity_token_file = ".web-identity-token"
  }
}

provider "aws" {
  alias  = "legacy"
  region = var.aws_region

  assume_role_with_web_identity {
    role_arn                = "arn:aws:iam::12345:role/my-role"
    web_identity_token_file = ".web-identity-token"
  }
}

Debug Output

https://gist.github.com/b4ird/4ca84515d3a501af8ddacd6397bd5621#file-gistfile1-txt

Expected Behavior

S3 backend should be inited successfully via OIDC role assumption

Actual Behavior

Fails to find credentials:

Error: failed to refresh cached credentials, no EC2 IMDS role found,
│ operation error ec2imds: GetMetadata, failed to get API token, operation
│ error ec2imds: getToken, http response error StatusCode: 400, request to
│ EC2 IMDS failed

Steps to Reproduce

Running terraform init with a similar setup

Additional Context

When switching the backend to local whilst keeping the existing provider config, the role assumption works. Given I'm able to assume the same account/role combination via the aws provider this rules out any OIDC trust relationship issues.

References

No response
@b4ird b4ird added bug new new issue not yet triaged labels Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend/s3 bug new new issue not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbardin @b4ird