terraform-provider-aws
terraform-provider-aws copied to clipboard
hashicorp
error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-east-1'
This issue was originally opened by @barath1406 as hashicorp/terraform#26001. It was migrated here as a result of the provider split. The original body of the issue is below.
Wrote a simple terraform script for EC2 Instance creation via assume role from provider file. Below are provider config content,
Provider File: provider "aws" { region = "eu-west-1" access_key = "Access key value" secret_key = "secret key value" endpoints { sts = "https://sts.eu-west-1.amazonaws.com" } assume_role { role_arn = "role_name value" session_name = "role_session_name" } }
Version Details: terraform-0.12.29 terraform-provider-aws_v2.70.0_x4 terraform-provider-aws_v3.0.0_x5 terraform-provider-consul_v2.8.0_x4 terraform-provider-external_v1.2.0_x4 terraform-provider-null_v2.1.2_x4 terraform-provider-template_v2.1.2_x4
Provided Access and secret keys has privilege for STS assume role. During terraform plan we are getting below error, and it is stating "us-east-1" region and getting failed. But nowhere in the configuration we are pointing to "us-east-1". Could you please help me out here.
Error logs: Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage.
Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-east-1'. status code: 403, request id: xxxxxxxxxxxxx-xxxxxxxxxxxxxx-xxxxxxxxxxxxxx
on provider.tf line 1, in provider "aws": 1: provider "aws" {
NOTE: We have manually generated the keys from the assume role and exported it to the environment variables, and AWS CLI commands are working fine, but however we are facing issue with the terraform plan.
@barath1406 Thanks for raising this issue.
Can you try setting the AWS_STS_REGIONAL_ENDPOINTS environment variable to the value regional?
https://docs.aws.amazon.com/credref/latest/refdocs/setting-global-sts_regional_endpoints.html
I have the same issue, setting AWS_STS_REGIONAL_ENDPOINTS didn't help, here are the logs:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: sts.eu-central-1.amazonaws.com
User-Agent: aws-sdk-go/1.31.9 (go1.14.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.13.3
Content-Length: 43
Authorization: AWS4-HMAC-SHA256 Credential=xxx/20200928/eu-central-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=xxx
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20200928T130509Z
X-Amz-Security-Token: FwoGZXIvYXdzEMv//////////xxx==
Accept-Encoding: gzip
Action=GetCallerIdentity&Version=2011-06-15
-----------------------------------------------------
2020/09/28 15:05:10 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 297
Content-Type: text/xml
Date: Mon, 28 Sep 2020 13:05:09 GMT
X-Amzn-Requestid: 2b70498f-3ffc-41b0-b048-1e5d41f34014
upd. 1
In my case it was because I placed access_key and secret_key wrongly. When I run:
AWS_ACCESS_KEY_ID=xxx AWS_SECRET_ACCESS_KEY=xxx terraform init
it worked out fine.
upd. 2
Most likely it was because of the stale .terraform directory, anyone who meets this issue, try first to rm -rf .terraform and then terraform init
aws configure , worked for me, once you type it, you going to be prompted for:
terra@xtian 👺 > aws configure AWS Access Key ID [****************2TYQ]: AWS Secret Access Key [****************/n+q]: Default region name [us-east-1]: Default output format [json]:
and terrafom plan again it should work
@RajendraVenkata This issue is because your system date/time is wrong.
it helped me, thanks. I changed time setting - automatically set up time
@RajendraVenkata This issue is because your system date/time is wrong.
saved my day.. didn't notice that !!! :D
To resolve this issue, you just need to delete "rm -rf .terraform" and "rm -rf .terraform.lock.hcl" and then run this command "terraform init -backend-config="access_key=xxxxxxxxxxxxxxxxxxxx" -backend-config="secret_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx""
The right set of commands should be:
rm -r .terraform
rm -r .terraform.lock.hcl
and then run this command to configure backend
terraform init -backend-config=access_key="xxxxxxxxxxxx" -backend-config=secret_key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
After that you can run terraform plan to preview whether the configuration made is right or not and if it works correctly then run terraform apply
In my case, after rotating my AWS key, I had updated the [default] profile in ~/.aws/credentials, but not the profile I was using in my Terraform script, referred to by the profile parameter in the provider "aws" section. Once I did that, everything worked fine.
The solutions suggested by @engr-usman and @arjungoel didn't work for me.
Hey @fransf-wtax, did you configure the credentials again using aws configure before trying that out as the solution I provided above worked for me in first go.
@arjungoel All aws configure does is update ~/.aws/credentials. So I think the terraform init step is redundant, at least it was for me, since Terraform takes the credentials from ~/.aws/credentials anyway.
@fransf-wtax if you using aws vault or any other utility to login on aws cli then first you should logout and relogin then perform all of the above steps.
In my test environment I was using the root users access and secret access key which did not work. After creating a dedicated user the error did not occur anymore.
In detail I did the following steps:
- Created a user called terraform here
- Created a new group Administrators with attached permissions AdministratorAccess by following the wizard
- Copied access key and secret access key to ~/.aws/credentials
[default]
aws_access_key_id=xxx
aws_secret_access_key=xxx
- Created ~/.aws/config
[default]
region=us-west-2
output=json
- Deleted .terraform.d in my home folder as well as .terraform and .terraform.lock.hcl in my projects folder
- Executed
aws configureandterraform initin my projects folder
After that terraform plan and terraform apply worked for me. Hope it helps someone.
@RajendraVenkata This issue is because your system date/time is wrong.
Was the same issue for me as well, since it was a remote VM I didn't even pay attention to the timezone and was troubleshooting AWS credentials, although the time was off by seconds, making it consistent fixed the problem.
I just faced this issue and the solution was simple. I'm using Terraform in Dokcer, and the AWS_DEFAULT_REGION envvar was missing. So my init is like:
docker run \
-v "${PWD}:/workspace" \
-w /workspace \
-e AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY \
-e AWS_SESSION_TOKEN \
-e AWS_DEFAULT_REGION \
hashicorp/terraform:1.1.7 init \
-backend-config="region=ap-southeast-2" \
-backend-config="bucket=mybuckett" \
-backend-config="key=path/to/my.tfstate" \
-backend-config="dynamodb_table=my_dynamo_table" \
-backend-config="encrypt=true"
I am currently facing this issue @ryanisnan and @ginigangadharan, please how did you change the time? I used sudo date then typed the correct date and time but I got error as "command not found". Kindly send the command to use. Thank you
@ginigangadharan I am finding it hard adjusting the time. Can you help with a command to do that? I am using aws CLI. Thank you
Which OS are you referring to?
On Sun, 1 May 2022 at 4:53 PM, Helen-Chukwukelu @.***> wrote:
@ginigangadharan https://github.com/ginigangadharan I am finding it hard adjusting the time. Can you help with a command to do that? I am using aws CLI. Thank you
— Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-aws/issues/14873#issuecomment-1114174453, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCDINIYYCGQF6VPV2Y6KNLVHZBAFANCNFSM4QNDTIDQ . You are receiving this because you were mentioned.Message ID: @.***>
--
Gineesh
linkedin.com/in/gineesh
@ginigangadharan I am using Centos 7. Below is the error is get
Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: b7bcd89f-8502-434a-964b-4ee16a2b78cb, api error SignatureDoesNotMatch: Signature not yet current: 20220504T114431Z is still later than 20220504T040106Z (20220504T034606Z + 15 min.) │ │ with provider["registry.terraform.io/hashicorp/aws"], │ on main.tf line 2, in provider "aws": │ 2: provider "aws" { │
I really need help as this issue has persisted for days. Thank you
This is me coming back to edit .......I resolved the issue by simply adjusting my PC time. The below image shows the setting
Sometime if session disconnected or expired we have the sts:GetCallerIdentity error. Secondly check the IAM access keys status is active or inactive.
Try following method as well, it works for me: To resolve this issue, you just need to delete "rm -rf .terraform" and "rm -rf .terraform.lock.hcl" and then run this command "terraform init -backend-config="access_key=xxxxxxxxxxxxxxxxxxxx" -backend-config="secret_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx""
I tried terraform init -backend-config="access_key=xxxxxxxxxxxxxxxxxxxx" -backend-config="secret_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" but still not working. :/
Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: IncompleteSignature: 'SNMPGLC' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential=AKIA SNMPGLC LNH MDGH/20220605/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=a0e3f6c7fa5ceafcb9d9fd0c081dd79c730b5588176f1b977ff747603d3883f4'. status code: 400, request id: 1b0b385c-157a-4f93-8387-cef0efdaeb95 with provider["registry.terraform.io/hashicorp/aws"] on main.tf line 23, in provider "aws":
I am getting this error while running this tutorial https://learn.hashicorp.com/tutorials/terraform/github-actions
Not sure why and I configured all the credentials as mentioned by hasicorp.
@RajendraVenkata This issue is because your system date/time is wrong.
Worked for me. Thanks!
I have this issue only for me-south-1 region, while us regions works fine.
- I already checked the date/time, my system uses NTP so I don't think this is the problem here
- I already tried removing .terraform and .terraform.lock.hcl and running "terraform init" again, not solved
My default region in the .aws/config file is us-west-2, but I set the me-south-1 for the "region" property in the aws "provider" in my main.cf file
I've found a suggestion to make the setting bellow in my AWS settings, but it doesn't seem to solve this issue either: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-manage-tokens
Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 400, RequestID: 73390445-95df-48e8-b897-1e06913a4946, api error IncompleteSignature: '/20220809/us-east-1/sts/aws4_request' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential=SAKIA5GT5RFZMSQI2BR6V /20220809/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=a0011c33fdf04a7739ed5ed4421c3ea2ba6ad3f3365cde8d07e7c5c319ed5d3e'.
