I am currently facing an issue during the execution of Terraform in CodeBuild. The Terraform deployment is being performed in another AWS account using an assumed role.
In CodeBuild, the maximum duration for assuming a role is one hour. However, during the execution of Terraform, which involves creating numerous resources, the token for the profile used by Terraform is being refreshed via the “aws sts assume-role” command
Even though the token should be getting updated, the deployment process takes longer than one hour, I encounter the following error:
ExpiredTokenException: The security token included in the request is expired.
I have confirmed that an AWS command using the same profile as Terraform successfully executes in the CodeBuild job. It seems that Terraform is not recognizing the updated token from the environment for subsequent token updates.
Some information about the environment…
terraform is at version 1.2.7
hashicorp/aws is at version 5.6.2
Using the following command to assume the role in the code build job, which re-runs every 10 minutes.
aws sts assume-role --role-arn <<ROLE_ARN>> --role-session-name <<PROFILE>>
Running the following command every minute to make sure connection is still valid.
AWS_PROFILE=“<<PROFILE>>” aws sts get-caller-identity
Starting terraform with…
AWS_PROFILE=“<<PROFILE>>” terraform …
I simplified a test to running a sleep command within terraform for 1 hour before trying to perform a create/update/delete on a resource and it failed with the above error.
Given the simplicity of the situation, I believe I must be overlooking something straightforward. Can anyone shed light on this behavior?