I am running Terraform in AWS region us-west-2 (Oregon) in a private VPC. Because of this I am using VPC endpoints to expose the STS API and am overriding this endpoint in Terraform as follows:
provider "aws" {
endpoints {
sts = "https://sts.us-west-2.amazonaws.com/"
}
}
Unfortunately this gives the following error:
provider.aws: error validating provider credentials: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
What could be causing this issue? Applying the same Terraform code without the endpoint override in a public VPC worked as expected.
Things I have checked:
- The instance Terraform is running on is displaying the correct time (UTC)
- AWS_REGION and AWS_DEFAULT_REGION env vars are set to us-west-2
- The AWS_SECRET_ACCESS_KEY env var I am using to authenticate (together with AWS_ACCESS_KEY_ID) contains only alphanumeric characters
Versions:
terraform version
: Terraform v0.11.13terraform-provider-aws
: v2.17.0
TF_LOG=debug terraform ....
, then make sure your environment in VPC can access internet. – BMW