terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard
verified publisher icon hashicorp

Vault Provider - auth_login_aws does not use environment variables for AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_SESSION_TOKEN

Open whathelll opened this issue 2 years ago • 9 comments

I've got these environment variables defined:

  • AWS_SECRET_ACCESS_KEY
  • AWS_ACCESS_KEY_ID
  • AWS_SESSION_TOKEN

Terraform Version

v1.3.7

Affected Resource(s)

Vault Provider 3.12

Terraform Configuration Files

terraform {
  required_providers {
    vault = {
      source = "hashicorp/vault"
    }
  }
}

provider "vault" {
  address = var.VAULT_ADDR

  auth_login_aws {
    namespace = "admin"
    role      = "myrole"
  }
}

Debug Output

https://gist.github.com/whathelll/9b97fefda12ec2e428617bf52bdc6458

Expected Behavior

it should use the environment variables to authenticate with vault

Actual Behavior

│ Error: Missing required argument
│ 
│   with provider["registry.terraform.io/hashicorp/vault"],
│   on main.tf line 13, in provider "vault":
│   13:   auth_login_aws {
│ 
│ "auth_login_aws.0.aws_secret_access_key": all of `auth_login_aws.0.aws_access_key_id,auth_login_aws.0.aws_secret_access_key` must be specified

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan

Important Factoids

References

If I use auth_login instead of auth_login_aws, it will pick up the environment variables.

whathelll avatar Feb 09 '23 21:02 whathelll

CleanShot 2023-02-17 at 13 03 48

We too are seeing this same exact issue.

thoreinstein avatar Feb 17 '23 18:02 thoreinstein

image

Having same in GitHub Actions self-hosted runner running on ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20230112.

ohcnkk avatar Feb 24 '23 06:02 ohcnkk

I've got the same issue. Currently working around by using the auth_login block:

provider "vault" {

  address = "https://${var.address}"

  # auth_login_aws {
  #   mount        = "aws"
  #   role         = var.aws_auth_vault_role
  #   header_value = var.address
  # }

  auth_login {
    path   = "/auth/aws/login"
    method = "aws"
    parameters = {
      role         = var.aws_auth_vault_role
      header_value = var.address
    }
  }
}

alexanderchadwick avatar Mar 15 '23 14:03 alexanderchadwick

@alexanderchadwick I suppose there's no way to specify which IAM role to assume when using that approach, right? (I'd use the auth_login_aws[0].aws_role_arn parameter if it weren't for this bug, but I'm not sure the workaround supports this)

gautamg795 avatar Jul 12 '23 00:07 gautamg795

Having the same issue, I can't assume a role with the auth_login_aws, it is just broken. Any updates on this?

Conacious avatar Oct 05 '23 09:10 Conacious

The auth_login {} trick doesn't work if you want to use the sts role switching feature (ie auth_login_aws { aws_role_arn = $ROLE })

dmikalova avatar Nov 03 '23 03:11 dmikalova

Is there any update on this? This is quite an annoying issue to get around.

marthinuskr avatar Apr 11 '24 08:04 marthinuskr