Error creating AWS session: CredentialRequiresARNError: credential type source_profile requires role_arn

[scalp42]

Hi folks,

Using Terraform 0.12.5 (as the S3 backend issue is still here for us), we're still running into somewhat the same issue as #9617 except we can initialize the backend fine this time.

Using 2.20.0:

$> AWS_SDK_LOAD_CONFIG=1 AWS_REGION=us-west-2 terraform

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

module.iam.data.terraform_remote_state.shared_global: Refreshing state...
module.iam.data.terraform_remote_state.dev_global: Refreshing state...
module.route53.data.terraform_remote_state.dev_us_west_2_vpc_dev: Refreshing state...
module.iam.data.terraform_remote_state.global: Refreshing state...
module.iam.data.aws_iam_policy_document.ec2_eip: Refreshing state...
module.iam.data.aws_iam_policy_document.ec2_ebs: Refreshing state...
module.iam.data.aws_iam_policy_document.ec2_asg: Refreshing state...
module.iam.data.aws_iam_policy_document.instana_read_only: Refreshing state...
module.iam.aws_iam_policy.ec2_eip: Refreshing state... [id=arn:aws:iam::102727442189:policy/ec2_eip]
module.iam.aws_iam_policy.ec2_ebs: Refreshing state... [id=arn:aws:iam::102727442189:policy/ec2_ebs]
module.iam.aws_iam_policy.ec2_asg: Refreshing state... [id=arn:aws:iam::102727442189:policy/ec2_asg]
module.iam.data.aws_iam_policy_document.s3_wonolo_chef_usw2: Refreshing state...
module.iam.aws_iam_policy.s3_wonolo_chef_usw2: Refreshing state... [id=arn:aws:iam::102727442189:policy/s3_wonolo_chef_usw2]
module.iam.data.aws_iam_policy_document.route53_wonolo_dev_com_public: Refreshing state...
module.iam.data.aws_iam_policy_document.route53_wonolo_dev_com_private: Refreshing state...
module.iam.aws_iam_policy.route53_wonolo_dev_com_public: Refreshing state... [id=arn:aws:iam::102727442189:policy/route53_wonolo_dev_com_public]
module.iam.aws_iam_policy.route53_wonolo_dev_com_private: Refreshing state... [id=arn:aws:iam::102727442189:policy/route53_wonolo_dev_com_private]

Error: No valid credential sources found for AWS Provider.
  Please see https://terraform.io/docs/providers/aws/index.html for more information on
  providing credentials for the AWS Provider

  on <empty> line 0:
  (source code not available)

Using 2.26.0:

$> AWS_SDK_LOAD_CONFIG=1 AWS_REGION=us-west-2 terraform

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

module.iam.data.terraform_remote_state.shared_global: Refreshing state...
module.route53.data.terraform_remote_state.dev_us_west_2_vpc_dev: Refreshing state...
module.iam.data.terraform_remote_state.global: Refreshing state...
module.iam.data.terraform_remote_state.dev_global: Refreshing state...

Error: No valid credential sources found for AWS Provider.
  Please see https://terraform.io/docs/providers/aws/index.html for more information on
  providing credentials for the AWS Provider

  on <empty> line 0:
  (source code not available)



Error: Error creating AWS session: CredentialRequiresARNError: credential type source_profile requires role_arn, profile bridge

  on main.tf line 12, in provider "aws":
  12: provider "aws" {

Everything was working fine using 0.11.x with 2.20 and we're 100% sure it's not a credentials/bad setup with AWS creds.

TLDR:

• Terraform 0.12.8 = can't initialize due to S3 backend issue
• Terraform 0.12.5 and AWS provider 2.20 = broken with No valid credential sources found for AWS Provider
• Terraform 0.12.5 and AWS provider 2.26 = broken with No valid credential sources found for AWS Provider and CredentialRequiresARNError supposedly fixed in Can't initialize backend since provider > 2.20 #9617

Thanks a lot in advance the migration to 0.12.x has been very painful and is still not successful for us.

[ewbankkit]

Maybe related to hashicorp/aws-sdk-go-base#4?

[evandam]

+1 I'm also seeing the same error with the provider version > 2.20.

[ckellis]

Same, getting both above errors using provider 2.26.

[scalp42]

This PR was merged: hashicorp/aws-sdk-go-base#5 but I believe it needs to be pulled in the providers.

[ewbankkit]

@scalp42 That has been merged via #10379.
You should be able to verify with the next (v2.32.0) release of the AWS Provider.

[scalp42]

@ewbankkit we just tested with 2.33.0 and it's still broken for us:

$> AWS_SDK_LOAD_CONFIG=1 AWS_REGION=us-west-2 terraform plan                                                                                             

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.terraform_remote_state.shared_us_west_2_vpc_shared: Refreshing state...
data.terraform_remote_state.dev_us_west_2_vpc_dev: Refreshing state...
data.terraform_remote_state.prod_global: Refreshing state...
data.terraform_remote_state.prod_us_west_2: Refreshing state...
data.terraform_remote_state.shared_us_west_2: Refreshing state...
data.terraform_remote_state.global: Refreshing state...

Error: Error refreshing state: 1 error occurred:
	* provider.aws.prod-us-west-2: Error creating AWS session: CredentialRequiresARNError: credential type source_profile requires role_arn, profile bridge

provider "aws" {
  alias  = "prod-us-west-2"
  region = "us-west-2"

  version             = "= 2.33.0"
  profile             = "prod"
  allowed_account_ids = ["123456789"]
}

$> cat ~/.aws/config
[profile prod]
role_arn = arn:aws:iam::123456789:role/admin
role_session_name = anthony-prod
source_profile = bridge
region = us-west-2

[profile bridge]
source_profile = bridge
region = us-west-2

$> terraform --version                                                                                                                                   
Terraform v0.11.14
+ provider.aws v2.33.0

Your version of Terraform is out of date! The latest version
is 0.12.11. You can update by downloading from www.terraform.io/downloads.html

[ewbankkit]

@scalp42 Your AWS CLI config file looks a bit weird to me.
Do you need source_profile in the [profile prod] section?
Also [profile bridge] seems to refer to itself via its source_profile.

[scalp42]

@ewbankkit I had some left over from debugging ><

We can confirm it works on "latest all the things":

Terraform v0.12.12
+ provider.aws v2.33.0

Thank you a lot for the help! That S3 backend issue has been holding us off for a while and we kept retrying every week.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!