terraform-provider-aws
terraform-provider-aws copied to clipboard
hashicorp
Unable to create IAM resources in us-gov-east-1
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform 0.12.24
Affected Resource(s)
- aws_iam_role
- aws_iam_group_policy_attachment
- likely all aws_iam resources
Terraform Configuration Files
provider "aws" {
region = "us-gov-east-1"
profile = "gov"
endpoints {
sts = "sts.us-gov-east-1.amazonaws.com"
iam = "iam.us-gov.amazonaws.com"
}
}
resource "aws_iam_role" "test" {
name = "iam-assume-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
Debug Output
Panic Output
aws_iam_role.test: Creating...
Error: Error creating IAM Role iam-assume-role: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-gov-east-1'.
status code: 403, request id: db52a3fc-56c9-4463-9a3e-d2f6f3676e71
on main.tf line 12, in resource "aws_iam_role" "test":
12: resource "aws_iam_role" "test" {
Expected Behavior
IAM Resource created.
Actual Behavior
Error occurred and the resource is not created.
Steps to Reproduce
NOTE: Must have a valid AWS US GOV account to reproduce.
terraform apply
Important Factoids
If the us-gov-west-1 region is used for the region attribute and the sts endpoint the terraform config succeeds. This leads me to believe the issue is not with my own credentials or configuration.
References
I'm experiencing the same issue. It appears the AWS CLI handles IAM requests against us-gov-east-1 by scoping the credential it uses to us-gov-west-1/iam/aws4_request. The Terraform provider is not performing this region scoping translation, and uses the credential scope us-gov-east1/iam/aws4_request which presumably iam.us-gov.amazonaws doesn't accept.
EDIT: The underlying cause might be better explained in https://github.com/hashicorp/terraform-provider-aws/issues/18142
I'm experiencing the same issue. It appears the AWS CLI handles IAM requests against
us-gov-east-1by scoping the credential it uses tous-gov-west-1/iam/aws4_request. The Terraform provider is not performing this region scoping translation, and uses the credential scopeus-gov-east1/iam/aws4_requestwhich presumablyiam.us-gov.amazonawsdoesn't accept.EDIT: The underlying cause might be better explained in #18142
Do you have a workaround other than removing the custom endpoint?
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.