terragrunt: Terragrunt does not support AWS SSO with automatic token refresh

 terraform --version
Terraform v1.2.9
on darwin_arm64
+ provider registry.terraform.io/datadog/datadog v3.19.1
+ provider registry.terraform.io/hashicorp/aws v4.45.0

Your version of Terraform is out of date! The latest version
is 1.3.7. You can update by downloading from https://www.terraform.io/downloads.html

 terragrunt --version
terragrunt version v0.39.0

~/.aws/config

[profile dev-sso]
sso_session = sso
sso_start_url = https://my-company/start
sso_region = eu-west-1
sso_account_id = 123456789
sso_role_name = AWSAdministratorAccess

[sso-session sso]
sso_region = eu-west-1
sso_start_url = https://my-company/start
sso_registration_scope = sso:account:access

Remote state config

remote_state {
  backend = "s3"
  config = {
    bucket         = "${local.env}-my-bucket"
    region         = "us-east-1"
    key            = "${path_relative_to_include()}/terraform.tfstate"
    encrypt        = true
    dynamodb_table = "${local.env}-terraform-state-lock"
    profile        = "dev-sso"
  }
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
}

 terragrunt init -migrate-state                             

Initializing the backend...
Backend configuration changed!

Terraform has detected that the configuration specified for the backend
has changed. Terraform will now check for existing state in the backends.

╷
│ Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.
│ 
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│ 
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│       For verbose messaging see aws.Config.CredentialsChainVerboseErrors
│ 

╵

 aws sts get-caller-identity
{
    "UserId": "my_user_id",
    "Account": "123456789",
    "Arn": "arn:aws:sts::123456789:assumed-role-bla-bla-bla
}

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 7
  • Comments: 19 (6 by maintainers)

Most upvoted comments

This should be reopened. The issue in terraform is now fixed in Terraform v1.6.0-rc1 but the issue is still present in terragrunt. You can test that by using a generate block instead of a remote_state. When using generate terraform won’t complain about SSO but it is going to complain the S3 bucket does not exist. In order to let terragrunt take care of creating the backend resources you need to switch to using a remote_state and that is when the issue appears.

For me that means there is a problem in the terragrunt auth mechanism with AWS in the bit of code that makes sure the backend resources are created.

❯ terragrunt init
ERRO[0000] Error initializing session: profile "<redacted> is configured to use SSO but is missing required configuration: sso_region, sso_start_url
ERRO[0000] Unable to determine underlying exit code, so Terragrunt will exit with error code 1

❯ terragrunt version
Terraform v1.6.0-rc1
on darwin_arm64
+ provider registry.terraform.io/cloudflare/cloudflare v4.15.0
+ provider registry.terraform.io/hashicorp/aws v5.19.0

❯ terragrunt --version
terragrunt version 0.51.6

The workaround still works by moving sso_start_url and sso_region to the profile entry in aws config. For more details see: https://github.com/hashicorp/terraform/issues/32465

+12
lebenitza on Sep 29, 2023

Resolved in v0.53.1 release.

+8
levkohimins on Nov 1, 2023

Hi @lebenitza, Ah you are right, terragrunt uses AWS for the things you mentioned. Since this issue has been fixed in terraform, it makes sense to fix it in terragrung as well. The AWS library should be updated in terragrunt to support SSO, I’ll work on it.

+4
levkohimins on Oct 27, 2023

Still an issue with terragrunt.

S3 backends should be fixed with the terraform 1.6 upgrade

Please see my message… The issue is still in terragrunt with the automatic creation of backend S3 store and DynamoDB lock table.

+3
lebenitza on Oct 27, 2023

Just want to note it’s working for me. Running v0.53.2 Thanks @levkohimins !

+2
WesselAtWork on Nov 8, 2023

Any info on this? I have a similar config in ~/.aws/coinfig


[profile sandbox]
sso_session = TraianMac
sso_account_id = 1234567890
sso_role_name = LimitedAdministratorAccess
region = eu-west-1
output = json

[sso-session TraianMac]
sso_start_url = https://somecool.awsapps.com/start#/
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

and when i try to run terragrunt plan I get


DEBU[0000] Included config /Users/traian/EI_Code/infrastructure-environments/dm-sandbox/terragrunt.hcl has strategy shallow merge: merging config in (shallow).
DEBU[0000] Assuming IAM role arn:aws:iam::1234567890:role/terragrunt-role with a session duration of 0 seconds.
ERRO[0000] profile "sandbox" is configured to use SSO but is missing required configuration: sso_region, sso_start_url
ERRO[0000] Unable to determine underlying exit code, so Terragrunt will exit with error code 1
+2
lordz-ei on Mar 22, 2023

The same issue is mentioned in terraform: #28263 #32465. Since terragrunt runs terraform as a shell command under the hood it can do nothing until hashicorp team fixes it.

But as discussed in those issues, there is a workaround. Step by step to make it work (I will use as session name: my-session and as profile name: my-profile):

  1. Just in case, remove the session and profile sections from ~/.aws/config that you are about to configure if they are already there.
  2. Run
aws configure sso --profile my-profile

The above command adds the following sections to ~/.aws/config:

[profile my-profile]
sso_session = my-session
sso_account_id = xxxxxxxxxxxx
sso_role_name = xxxxxxx
[sso-session my-session]
sso_start_url = https://xxxxxx.awsapps.com/start#
sso_region = us-east-1
sso_registration_scopes = sso:account:access

Let’s check SSO in aws-cli, it should work

aws s3 ls --profile my-profile

Then try to check SSO in terraform

AWS_PROFILE=my-profile terraform init

get:

Error: error configuring S3 Backend: Error creating AWS session: profile "my-profile" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

don’t worry, we’re not done yet 🙂

  1. Manually edit ~/.aws/config:

Add sso_start_url, sso_region and remove sso_session. Should look like this:

[profile my-profile]
sso_account_id = xxxxxxxxxxxx
sso_role_name = xxxxxxx
region = us-east-1
sso_start_url = https://xxxxxx.awsapps.com/start#
sso_region = us-east-1
  1. Run
aws sso login --profile my-profile

Let’s try to check SSO in terraform again:

AWS_PROFILE=my-profile terraform init

get:

... omitted
Terraform has been successfully initialized!
... omitted

Finally it works 🎉 . If SSO works in terraform, then it will work in terragrunt.

@levkoburburas will terraform/terragrunt automatically refresh the authentication tokens when they expire? For reference: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html

+1
jsimoni on May 9, 2023
Read more comments on GitHub
← terragrunt: Terragrunt does not create local backend
terragrunt: Terragrunt fails to get outputs of dependency →