What worked for me was this reddit post: https://www.reddit.com/r/aws/comments/zk456d/new_aws_cli_and_sso_sessions_profiles_and_legacy/

In short:

1. In your .aws/config file, delete the sso-session section (or sections if you had multiple)
2. Delete the sso-session reference under the profile section
3. Reconfigure sso: aws configure sso --profile <profile-name> # I usually go for default
4. Here’s the fix: Although recommended, do not give sso session name, leave it blank
5. Finish the rest of the config, and terraform should start working

Any updates on this? Still not working with v4.48

Weird, issues seems to be critical and fundamental. Can’t execute any terraform actions on my newly configured accounts that are managed by new AWS Identity Center

To mention a workaround: You do not need to add: sso_region, sso_start_url You just have to create a IAM User with appropriate permissions and programmatic access and add these credentials to .aws/credentials

[profile]
aws_access_key_id = xxxxx
aws_secret_access_key = yyyyyyyyyyyy

make sure that profile name matches in the both .aws/credentials and .aws/config. Provider will work

I can confirm the following works as a temporary fix:

• remove the [sso-session ...] section
• remove the sso_session parameter from the profile
• add the sso_start_url and sso_region
• add the region parameter if not already there

Working example:

[profile prod]
sso_region = us-east-1
sso_start_url = https://URL.awsapps.com/start
sso_account_id = 999999999
sso_role_name = AWSAdministratorAccess
region = us-east-1

[profile stage]
sso_region = us-east-1
sso_start_url = https://URL.awsapps.com/start
sso_account_id =999999999
sso_role_name = AWSAdministratorAccess
region = us-east-1

How is this not resolved yet? Isn’t the GO SDK supposed to handle this automatically?

Any updates on this? Still not working with v4.48

Weird, issues seems to be critical and fundamental. Can’t execute any terraform actions on my newly configured accounts that are managed by new AWS Identity Center

To mention a workaround: You do not need to add: sso_region, sso_start_url You just have to create a IAM User with appropriate permissions and programmatic access and add these credentials to .aws/credentials

[profile]
aws_access_key_id = xxxxx
aws_secret_access_key = yyyyyyyyyyyy

make sure that profile name matches in the both .aws/credentials and .aws/config. Provider will work

Or you can use the Command line or programmatic access from your role and copy that content to the credentials file. You can barely change the profile name to your needs and can use it as long, as the session is valid. But this is all only a workaround, especially with an eye on the session getting invalid after the configured amount of time and one have to copy the temp credentials over again 😃.

The support for sso-session for aws-sdk-go has been merged and is now in a release. https://github.com/aws/aws-sdk-go/releases/tag/v1.44.298

As pointed out here https://github.com/hashicorp/terraform-provider-aws/issues/28263#issuecomment-1428052544 the provider is now fixed after dependency updates https://github.com/hashicorp/terraform-provider-aws/pull/29302

Would be great if we could also update the backend accordingly

This is still happening in v4.46.0, which has the update (https://github.com/hashicorp/terraform-provider-aws/commit/b3dcf93ddabb4cf692aa7620cb8ec4aebaf0a52a) to the aws-sdk-go-v2 version (v1.17.2) that has the upstream fix.

From what I can see in go.mod file, specified versions of affected dependencies do not contain SSO enhancements:

	github.com/aws/aws-sdk-go-v2/config v1.15.4 // indirect
	github.com/aws/aws-sdk-go-v2/credentials v1.12.0 // indirect

New SSO enhancements were added in versions v1.18.0 and v1.13.0 correspondingly.

For posterity, this probably got fixed by the bump in https://github.com/hashicorp/terraform-provider-aws/pull/32426.

@kurtismash pls correct me if I’m wrong 😉

Any chance for this to end up in a release soon?

This still needs to make it into a terraform release. The S3 backend code doesn’t use the AWS provider, it has a parallel S3 code path. The provider works, but if you use an S3 state backend you’ll still have problems until they update the SDK there.

Having new SSO support in the v1 SDK will make that easier, though.

Keep an eye on https://github.com/hashicorp/terraform/issues/32465 (there appears to be an open PR for this now)

For those that are finding when you get a reference to $HOME/.aws/sso/cache/<id>.json not found, you must perform an AWS SSO login first.

aws sso login

I recommend to create multiple pairs of your profiles, one with the legacy non-refreshing token specifically for terraform, and use another for your normal operations. This will allow you to use the AWS CLI with the refreshing tokens and have the terraform backend explicitly select the legacy profile.

~/.aws/config

[profile primary]
region = <REGION>
output = json
sso_session = <SESSION_NAME>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>

# Required as terraform does not respect sso_session
[profile primary-legacy]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>
region = <REGION>
output = json

[sso-session <SESSION_NAME>]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_registration_scopes = sso:account:access

In your backend, configure your profile to be the legacy above.

profile = "primary-legacy"

And have your aws env set to the refresher token:

export AWS_PROFILE=primary

I was having the same problem, and including all information within the profile itself helped in my case as well.

Why are Terraform and AWS provider not able to use the session information? Using an sso-session to provide the region and start_url is the recommended way to set up sso: Configuring the AWS CLI to use AWS IAM Identity Center (successor to AWS Single Sign-On)

For those that are finding when you get a reference to $HOME/.aws/sso/cache/<id>.json not found, you must perform an AWS SSO login first.

aws sso login

I recommend to create multiple pairs of your profiles, one with the legacy non-refreshing token specifically for terraform, and use another for your normal operations. This will allow you to use the AWS CLI with the refreshing tokens and have the terraform backend explicitly select the legacy profile.

~/.aws/config

[profile primary]
region = <REGION>
output = json
sso_session = <SESSION_NAME>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>

# Required as terraform does not respect sso_session
[profile primary-legacy]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_account_id = <ACCOUNT_ID>
sso_role_name = <ROLE_NAME>
region = <REGION>
output = json

[sso-session <SESSION_NAME>]
sso_start_url = https://<START_ID>.awsapps.com/start
sso_region = <REGION>
sso_registration_scopes = sso:account:access

In your backend, configure your profile to be the legacy above.

profile = "primary-legacy"

And have your aws env set to the refresher token:

export AWS_PROFILE=primary

I believe what @brettryan mentions will work as a workaround, but what is needed is the terraform-provider-aws to support refreshable authentication tokens and to refresh those tokens when they expire.

@yermulnik It is fixed in bf5aed5bc8b73db62b3fe1b6d4e76dd4408a16b0, when the SDK version is upgraded to a version which support new format SSO. For supported version, please refers to https://github.com/hashicorp/terraform-provider-aws/issues/28263#issuecomment-1367036724

It is fixed at v4.54.0. However, if you use s3 backend, the legacy configuration is still required, the issue on Terraform is still open

Hey, yeah with the solution @michidk suggested here, you can configure the awscli profiles the legacy way. Thats working so far, also with the aws provider. But who knows how long until sso-sessions will be enforced and the legacy way will be deprecated 😃

You can work around this in two ways:

• set the sso_start_url in each profile
• grab temporary credentials from the profile using aws-sso-creds

You need to both sso_start_url and sso_region for your profile. And then run aws sso login --profile <profile name>

“set the sso_start_url in each profile” does’t work for me

[profile Dev-715xxxxxxxxxxx2]
sso_session = bo-05-01-2023-1
sso_account_id = 715xxxxxxxxxxx2
sso_role_name = Dev
region = eu-west-2
output = json
sso_start_url = https://xxx.awsapps.com/start

[sso-session bo-05-01-2023-1]
sso_start_url = https://xxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

Still get: % terraform plan ╷ │ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

It is fixed at v4.54.0

@tonyhhyip Out of curiosity: is there any exact PR we can refer to? I couldn’t find anything relevant to AWS SSO in v4.54.0 release message 🤷🏻

@boyadzhievb I also had to remove the sso_session key/value from my profile.

documentation for “legacy” configuration here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#sso-configure-profile-manual

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.