AWS creds issues (using Vault) with "terraform import" but not "terraform apply"

Terraform Providers
1

I have a longstanding Terraform config that’s working well using “terraform apply” and is able to authenticate the AWS provider using the Vault provider:

data "vault_aws_access_credentials" "aws_creds" {
  backend = "aws"
  role    = "XXX"
}

provider "aws" {
  region     = var.aws_region
  access_key = data.vault_aws_access_credentials.aws_creds.access_key
  secret_key = data.vault_aws_access_credentials.aws_creds.secret_key
}

However, when I use “terraform import” I get:

 Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: XXX, api error InvalidClientTokenId: The security token included in the request is invalid.

I’m not sure why “apply” can authenticate the AWS provider but “import” can’t. Any advice is greatly appreciated.

Versions:

  • terraform: 1.0.11
  • aws provider: 4.0.0
  • vault provider: 3.25.0
2

For AWS STS usage (when you get temporary access) you need pass session token too.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs#aws-configuration-reference

Try passing token too like this:


provider "aws" {
  region     = var.aws_region
  access_key = data.vault_aws_access_credentials.aws_creds.access_key
  secret_key = data.vault_aws_access_credentials.aws_creds.secret_key
  token      = data.vault_aws_access_credentials.aws_creds.security_token
}
3

@claytonsilva That’s helpful. It seems like “terraform apply” is using the “creds” mode of “vault_aws_access_credentials”, but “terraform import” is using “sts”. Is there a way to force import to use “creds” as well?

4

I don’t know its work when apply sincerely :rofl:, but sts is the correct way to use temporary credentials. Make no senses force the other usage.