terraform-provider-aws: `Error: no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded` on v4.0.0

On AWS provider version 4.0.0 I’m getting the following error:

Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│ 
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│ 
│ Error: no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded
│ 
│ 
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on main.tf line 1, in provider "aws":
│    1: provider "aws" {

Version 3.72.0 works perfectly. I’m using the following provider configuration:

provider "aws" {
  region = var.aws_region
  assume_role {
    duration_seconds = 3600
    session_name = "session-name"
    role_arn = var.aws_deployment_role
  }
}

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 19 (1 by maintainers)

Commits related to this issue

fix aws provider version to resolve https://github.com/hashicorp/terraform-provider-aws/issues/23209 — committed to flatstack-warsaw-dashboard/PTOs-widget by kamilhism 2 years ago

Most upvoted comments

I see this is closed but I am not sure if it makes sense. For example, I am running some terraform jobs in my CircleCI pipeline and I so far had no issues whatsoever with this, now it seems I need to choose what to use. Normally, I use the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in my CD and profile for local work.

I am thinking of a few things:

I can create the ~/.aws/credentials file within the pipeline, with the profile set in it so that it does not fail,
I need to break my local env in order to remove profile from the provider and then use env vars. Then again this does not make sense for most of us I presume, since my local ~/.aws/credentials file contains around 15 different profiles.

Maybe I am missing something so if someone has any suggestion, please let me know.

antonioned on Feb 21, 2022

@hectoralicea If you want to use 4.x version instead of 3.0 you have to be sure you configure aws either using environment variables or in the .tf file, if you mix both approaches, this version will take just one. More info here

In previous versions of the provider, you could explicitly set profile in the provider, and if the profile did not correspond to valid credentials, the provider would use credentials from environment variables. Starting in v4.0, the Terraform AWS provider enforces the precedence shown above, similarly to how the AWS SDK and AWS CLI behave.

In other words, when you explicitly set profile in provider, the AWS provider will not use environment variables per the precedence shown above. Before v4.0, if profile was configured in the provider configuration but did not correspond to an AWS profile or valid credentials, the provider would attempt to use environment variables. This is no longer the case. An explicitly set profile that does not have valid credentials will cause an authentication error.

szaffarano on Feb 28, 2022

I have the same problem, not with terraform, but with my Go program, that uses aws-sdk-v2. Environment variables seems to be not handled properly.

chubin on Mar 3, 2022

fixed, I had “AWS_ACCESS_KEY_ID” spelled with three “S”'s

Speculor on Apr 22, 2022

thank you @thebergamo . It worked

ashmantak on Feb 17, 2022

Hi @speller, this has been fixed in v4.1.0, which will be released later today.

gdavison on Feb 15, 2022