terraform icon indicating copy to clipboard operation
terraform copied to clipboard
verified publisher icon hashicorp

S3 Module Source does not work with AWS SSO

Open kevinprince opened this issue 10 months ago • 1 comments

Terraform Version

Terraform v1.10.5
on darwin_arm64

Terraform Configuration Files

"module": {
        "init": [
            {
                "environment": "${local.config.environment}",
                "name": "${local.config.name}",
                "source": "s3::https://bucket-name.s3.us-east-2.amazonaws.com/terraform/module.zip"
            }
        ]
    }

Debug Output

╷
│ Error: Failed to download module
│ 
│   on main.tf.json line 8, in module:
│    8:         "init": [
│ 
│ Could not download module "init" (main.tf.json:8) source code from "s3::https://the-bucket.s3.us-east-2.amazonaws.com/terraform/modules/truss-definitons.zip": NoCredentialProviders: no valid providers in chain
│ caused by: EnvAccessKeyNotFound: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY not found in environment
│ SharedCredsLoad: failed to load shared credentials file
│ caused by: FailedRead: unable to open file
│ caused by: open /Users/kevin/.aws/credentials: no such file or directory
│ EC2RoleRequestError: no EC2 instance role found
│ caused by: RequestError: send request failed
│ caused by: Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: host is down

Expected Behavior

Installs the module from AWS using available keys

Actual Behavior

See above.

Steps to Reproduce

  1. Source a module from S3
  2. Login to AWS using IAM Identity Center / AWS SSO
  3. Try to init

Additional Context

If using local file ref for module instead deployment is fine as Terraform using AWS SSO creds without any issue.

aws s3 ls works and can download the file with aws s3 cp.

References

No response

Generative AI / LLM assisted development?

No response

kevinprince avatar Feb 12 '25 16:02 kevinprince

Hey @kevinprince,

Thank you for reporting this. It's good to note that Terraform module sourcing relies on functionality from an upstream package called go-getter. I expect this to require an upstream fix, specifically in the AWS credential chain resolution, to properly support SSO federated credentials.

bschaatsbergen avatar Feb 12 '25 16:02 bschaatsbergen

Likely a duplicate of #34767, Also the go-getter issue is almost 4 years old. Noice

Msouza91 avatar Mar 21 '25 13:03 Msouza91

Yes, good call @Msouza91. Closing as dupe of #34767.

crw avatar Mar 21 '25 17:03 crw

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Apr 21 '25 02:04 github-actions[bot]