Terraform AWS credentials file not found

10
votes

In reading the docs over at Terraform it says there are 3 options for finding AWS credientials:

  1. Static Credentials( embedded in the source file )
  2. Environment variables.
  3. From the AWS credentials file

I am trying to have my setup just use the credential file. I've checked that the environment variables are cleared and I have left the relevant variables in Terraform blank.

When I do this and run 'Terraform Plan' I get the error:

No Valid credential sources found for AWS Provider.

I've even tried adding the location of my credentials file into my provider block and that didn't help either:

provider "aws" {
    region  = "${var.region}"
    profile = "${var.profile}"
    shared_credentials_file = "/Users/david/.aws/credentials"
    profile = "testing"
}

Is there something I'm missing to get Terraform to read this file and not require environment variables?

4
amazon-web-servicesterraform
You do upload your code in github or other open-source direcory to publish so your credential is not secure. so do secure your credential like this way: export AWS_ACCESS_KEY_ID="*************" export AWS_SECRET_ACCESS_KEY="="*************" export AWS_DEFAULT_REGION="us-west-1"Fefar Ravi

4 Answers

8
votes

I tested with Terraform v0.6.15 and its working fine.

Issue must be with the profile. Check the following.

1. Remove 2 profile tags from your provider. 

provider "aws" {
  region  = "${var.region}"
  shared_credentials_file = "/Users/david/.aws/credentials"
  profile = "testing"
}

2. Make sure your credentials file /Users/david/.aws/credentials is in the below format, where testing is the profile you are specifying in provider "aws"

[testing]
aws_access_key_id = *****
aws_secret_access_key = *****
1
votes

To get multiple profiles to work with Terraform make sure that you supply the 

aws_access_key_id

piece to your profile declaration. Each profile should look like this:

[profile_name]
aws_access_key=*****
aws_secret_access_key****
aws_access_key_id=*****

Technically you don't even need the aws_access_key as it seems the id version is what the underlying aws cli needs. Maybe it was me, but that was never clear in the documents I read.

0
votes

I just had this same problem with terraform aws provider (2.12.0) and this is how I solved it.

In my case the provider couldn't handle that my default profile in $HOME/.aws/credentials did NOT have my access key and secret but it had a "source_profile" in it instead. It seems the terraform aws provider cannot handle this (yet this works for Java SDK and AWS CLI just fine since I've had this setup for awhile now).

Here is what I had that didn't work, notice the default profile has a role_arn and source_profile:

[default]
role_arn = arn:aws:iam::<ACCT_ID>:role/readonly
source_profile = account
region = us-east-1

[other-profile]
role_arn = arn:aws:iam::<ACCT_ID>:role/other-role
source_profile = account
region = us-east-1

[account]
region = us-east-1
aws_access_key_id=****
aws_secret_access_key=****

I changed it to the following which resulted in the aws provider working for me. Notice I consolidated two profiles into the "default" profile:

[other-profile]
role_arn = arn:aws:iam::<ACCT_ID>:role/other-role
source_profile = default
region = us-east-1

[default]
region = us-east-1
aws_access_key_id=****
aws_secret_access_key=****
role_arn = arn:aws:iam::<ACCT_ID>:role/readonly
source_profile = default

This seems to work fine for the AWS CLI (defaults to the readonly role and supports switching to "other-profile") as well as allowing terraform to read credentials correctly.

0
votes

(Terraform v0.14.2, macOS 11.0.1)

I needed to do:

AWS_ACCESS_KEY_ID=... AWS_SECRET_ACCESS_KEY=... terraform plan

Which was strange to me, because my ~/.aws is in order, as are my .tf-s. ¯_(ツ)_/¯