terraform
terraform copied to clipboard
hashicorp
backend/s3: `assume_role_with_web_identity` ignores related environment variables
Terraform Version
v1.6.0-beta1
Terraform Configuration Files
terraform {
backend "s3" {
bucket = "jb-test"
key = "path/to/statefiles"
region = "us-east-1"
}
}
Debug Output
https://github.com/hashicorp/terraform/pull/31276#issuecomment-1703530574
Expected Behavior
The assume_role_with_web_identity block should respect the corresponding AWS environment variables.
Actual Behavior
Role assumption flow fails.
Steps to Reproduce
- Set the
AWS_ROLE_ARNandAWS_WEB_IDENTITY_TOKEN_FILEenvironment variables. terraform init- Observe failure
Additional Context
Originally reported in this comment: https://github.com/hashicorp/terraform/pull/31276#issuecomment-1703530574
References
Relates #31276 Relates #33730
@manobi this should actually work, since the AWS SDK for Go handles the environment variables. I've created a branch that (re-)enables API request logging for the authentication flow at https://github.com/hashicorp/terraform/tree/s3/log-base.
Can you try again using that branch and with the environment variable TF_LOG set to DEBUG and share the log, please?
Can you also please share your backend configuration, please?
I would love to help with this test, but I only have this trust relationship for my CI/CD runners.
I can't try it until it's published as a docker image on docker hub or something like it.
No, v1.6.0-beta2 has not yet been built and released at all, thus it is not in Dockerhub. See also: https://hub.docker.com/r/hashicorp/terraform/tags
Hi @manobi. Now that v1.6 has been released, are you still seeing this problem? If so, can you please share your backend configuration and a debug log generated by setting the environment variable TF_LOG to DEBUG
I'm seeing a similar issue with v1.6.5, however the steps to reproduce are a bit different (set AWS_WEB_IDENTITY_TOKEN_FILE env var, set role_arn in backend config).
Initializing the backend...
╷
│ Error: Missing Required Value
│
│ on main.tf line 9, in terraform:
│ 9: backend "s3" {
│
│ Exactly one of web_identity_token, web_identity_token_file must be set.
╵
Perhaps I'm barking up the wrong tree and this is a SDK issue, similar to: https://github.com/hashicorp/terraform-provider-aws/issues/27019.
@crw @justinretzolk since you both responded to my issue yesterday in a related way, I wanted to bring this to your attention as soon as possible given that 1.10 now enforces the split of assume role and assume web identity, essentially assume with web identity is broken for 1.10 if you were previously using environment variables.
Exactly one of web_identity_token, web_identity_token_file must be set.
I can confirm 100% that AWS_WEB_IDENTITY_TOKEN_FILE is set and this is an AWS SDK supported environment variable, so not only has this issue existed in Sept 2023, now that 1.10 forces use of the two assume role blocks, it's now broken hard in 1.10+.
│ on backend.tf line 8, in terraform:
│ 8: assume_role_with_web_identity = {
│ 9: role_arn = "arn:aws:iam::XXXXXXXXXXXXX:role/tfstate-management-role"
│ 10: external_id = "LEARNED THIS IS JUST IGNORED"
│ 11: session_name = "tfstate-UUID"
│ 12: policy = "CRAFTED_POLICY"
│ 13: }
│
│ Exactly one of web_identity_token, web_identity_token_file must be set.
AWS_WEB_IDENTITY_TOKEN_FILE is set by the environment and should 100% be used as a value to web_identity_token_file this use to work without the assume_role_with_web_identity block AND it's even stated in the docs to be supported, but confirmed it is NOT.
@crw can we get eyes on this, we do a lot of automated deployments and use automatic env vars to set roles and can't use this functionality due to this bug. I believe it's as simple as removing https://github.com/hashicorp/terraform/blob/main/internal/backend/remote-state/s3/backend.go#L522C1-L528C4 as the SDK should pick up the env var automatically if they aren't set.
Can the documentation be updated to clarify this doesn't work? It would save people from wasting hours on configuration that can't succeed.
