-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Authentication failure on v5.24.0 - incorrectly trying to use ec2 IMDS #34234
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
Potential cause: aws/aws-sdk-go-v2#2328. |
Same issue here.
I tried to set the It is blocking all our infra pipelines so forced to downgrade for now |
Hi @adamaziz15 and @yogeek, thanks for reporting this. Unfortunately, the IMDS error message is a bit of a red herring. The AWS SDK for Go v2 always tries IMDS unless it is explicitly disabled using the provider configuration parameter Could either of you include a debug log of the authentication flow, please? Set the environment variable @yogeek, I see that you're running on an EC2 instance. Is that within a container? @adamaziz15, are you running on EC2? |
@gdavison yes terraform is running inside a container in an EC2 instance |
Do either of your shared configuration or credentials files contain any leading whitespace? There's a change in how the AWS SDK is parsing the file which causes it to fail silently if there is leading whitespace: aws/aws-sdk-go-v2#2349 |
@yogeek do you have a hop limit of 2 set on the underlying EC2 instance? It's required with IMDS v2 (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#imds-considerations) |
@gdavison I'm not running on EC2. I may have whitespace in the file though as I'm writing it programmatically so definitely something I should check there. Here's the debug log from terraform:
There is more from before those logs, but its seems to be mostly noise, like the following:
|
@gdavison Interesting enough, I still get the same error: This is with the provider configuration option: provider "aws" {
skip_metadata_api_check = true
...
} |
@gdavison my situation seems different than the one of @adamaziz15 Context :
Here is the debug log : Beggining of logs... (collapsed to ease reading)
Then the section containing errors :
What is strange is that the error seems to indicate that the instance profile has not got the permission to do the action, whereas in reality, the instance profile should only be used to assume a role to do this specific action... it seems that the assume role is not taken into account... With exactly the same EC2 and TF code :
I tried setting the hop to 2 : same error |
@yogeek I had a similar setup as You and was able to fix it. I have a file that is pointing to
And
Running terraform with this setup was failing with:
What solved this problem in my case was to remove all whitespaces in profile definition:
I hope that it will help 😃 |
It looks like the fixes to the upstream AWS SDK have resolved this issue. If you're still experiencing this problem, please open a new issue |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Core Version
1.5.3
AWS Provider Version
5.24.0
Affected Resource(s)
No response
Expected Behavior
I have a provider configuration just like this:
Expected Behavior: The terraform provider should be able to authenticate without any issues.
Actual Behavior
Instead of authenticating properly I get the following error:
It's my understanding that ec2 imds is only to be used when running TF from an ec2 instance and trying to use the instance metadata to authenticate. So in this case I think maybe the wrong authentication strategy is being used. This works fine on v5.23.1
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
The provider configuration is very similar to this:
I have a creds file at the shared_credentials_files path I provided and it looks like:
Steps to Reproduce
terraform plan
💥Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: