Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3 backend not using sso session when profile is used #36500

Open
DariB123 opened this issue Feb 13, 2025 · 2 comments
Open

s3 backend not using sso session when profile is used #36500

DariB123 opened this issue Feb 13, 2025 · 2 comments
Labels
backend/s3 bug new new issue not yet triaged

Comments

@DariB123
Copy link

Terraform Version

Terraform v1.5.7

Terraform Configuration Files

main.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.86.1"
    }
  }
  backend "s3" {
    bucket = "" 
    key    = ""
    region = ""
    profile= ""
  }
}

provider "aws" {
  region  = var.region
  profile = var.profile
  }
}

Backend file

profile="dev"
region="{region}"
bucket="{bucket}"
key="{key}"

AWS SSO Config

Generated by following prompts from aws configure sso

[profile prod]
sso_session = my_org
sso_account_id = account_id
sso_role_name = AdministratorAccess
region = eu-west-2
[sso-session my_org]
sso_start_url = start_url
sso_region = eu-west-2
sso_registration_scopes = sso:account:access
[profile dev]
sso_session = my_org
sso_account_id = account_id
sso_role_name = AdministratorAccess
region = eu-west-2

Debug Output

2025-02-13T14:34:41.829Z [INFO]  Terraform version: 1.5.7
2025-02-13T14:34:41.829Z [DEBUG] using github.com/hashicorp/go-tfe v1.26.0
2025-02-13T14:34:41.829Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2
2025-02-13T14:34:41.829Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.0
2025-02-13T14:34:41.829Z [DEBUG] using github.com/zclconf/go-cty v1.12.2
2025-02-13T14:34:41.829Z [INFO]  Go runtime version: go1.23.1
2025-02-13T14:34:41.829Z [INFO]  CLI args: []string{"terraform", "init", "-backend-config=backendconfig"}
2025-02-13T14:34:41.830Z [TRACE] Stdout is a terminal of width 167
2025-02-13T14:34:41.830Z [TRACE] Stderr is a terminal of width 167
2025-02-13T14:34:41.830Z [TRACE] Stdin is a terminal
2025-02-13T14:34:41.830Z [DEBUG] Attempting to open CLI config file: /Users/REDACTED/.terraformrc
2025-02-13T14:34:41.830Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2025-02-13T14:34:41.830Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2025-02-13T14:34:41.830Z [DEBUG] ignoring non-existing provider search directory /Users/REDACTED/.terraform.d/plugins
2025-02-13T14:34:41.830Z [DEBUG] ignoring non-existing provider search directory /Users/REDACTED/Library/Application Support/io.terraform/plugins
2025-02-13T14:34:41.830Z [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2025-02-13T14:34:41.831Z [INFO]  CLI command args: []string{"init", "-backend-config=backendconfig"}

Initializing the backend...
2025-02-13T14:34:41.834Z [TRACE] Meta.Backend: merging -backend-config=... CLI overrides into backend configuration
2025-02-13T14:34:41.834Z [TRACE] Meta.Backend: built configuration for "s3" backend with hash value 1061687487
2025-02-13T14:34:41.835Z [TRACE] Preserving existing state lineage "c5741347-76c2-6ba6-0b35-2fa2e2a597c2"
2025-02-13T14:34:41.835Z [TRACE] Preserving existing state lineage "c5741347-76c2-6ba6-0b35-2fa2e2a597c2"
2025-02-13T14:34:41.835Z [TRACE] Meta.Backend: working directory was previously initialized for "s3" backend
2025-02-13T14:34:41.835Z [TRACE] backendConfigNeedsMigration: given configuration matches cached configuration, so no migration is required
2025-02-13T14:34:41.835Z [TRACE] Meta.Backend: using already-initialized "s3" backend configuration
2025-02-13T14:34:41.836Z [INFO]  Attempting to use session-derived credentials

Expected Behavior

once aws sso login --sso-session my_org is run terraform init -backend-config=backendconfig should succeed.

Actual Behavior

Error: error configuring S3 Backend: Error creating AWS session: profile "dev" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

Steps to Reproduce

  1. Configure the AWS SSO as shown above
  2. Create a project using as s3 backend as shown above
  3. Login to AWS SSO
  4. Run terraform init -backend-config=backendconfig

Additional Context

I have tested that the SSO is configured correctly as I am able to use the aws CLI with the --profile option to list all running instances in each of my accounts.

I have been able to get around this by doing the following:

  1. Commenting out the sso-session line in each profile
  2. Adding sso_region and sso_start_url lines in each profile
  3. Running aws sso login --profile {profile}

Although this is obviously tedious as I need to switch between accounts manually.

References

No response

Generative AI / LLM assisted development?

No response
@DariB123 DariB123 added bug new new issue not yet triaged labels Feb 13, 2025
@crw
Copy link
Contributor

crw commented Feb 13, 2025

Thanks for the report. May be related to #34516.

@crw crw added the backend/s3 label Feb 13, 2025
@four43
Copy link

four43 commented Mar 5, 2025

Also #32465 ?

I'm also getting this issue though my co-workers aren't. Odd.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend/s3 bug new new issue not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@crw @four43 @DariB123