Credentials & syntax problem

Hi folks,

I’m experiencing some difficulty with creating resources in AWS via Terraform and was hoping somebody could help. FYI, I am using:

Terraform v0.12.26 v2.67.0

My IAM user has full admin privileges and programmatic access but when i try to create a resource i.e. VPC i get teh following error:

Warning: Interpolation-only expressions are deprecated

on line 2, in provider “aws”:
2: region = “${var.aws_region}”

To silence this warning, remove the “${ sequence from the start and the }”

aws_vpc.my_vpc: Creating…

Error: Error creating VPC: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: 828ad3fe-8c39-4fdc-b3a8-5c22f25909a7

on line 1, in resource “aws_vpc” “my_vpc”:
1: resource “aws_vpc” “my_vpc” {

My provider file is set up like below:

provider “aws” {
region = “${var.aws_region}”
access_key = “var.aws_access_key”
secret_key = “var.aws_secret_key”
version = “~> 2.67”
skip_credentials_validation = true
skip_requesting_account_id = true

Terraform init and Terraform Plan work fine. I had to add the 2 “skip” statements in above to get past “Terraform Plan” which previously I did not have to do. It has been about 4 months since i last used Terraform and i have upgraded versions since. I am not using AWS configure but instead hard-coding my access/secret keys in a variables file in clear text for testing purposes.

Some questions:

a) Is this a version issue?

b) If i remove the $ and {} from the region variable above my “Terraform Plan” fails but the irony is there is a warning above suggesting that this has been deprecated in the latest versions of Terraform. Is this a bug?

c) I am just about to start building out a production environment so though the latest versions would be best. If this is not the case, can you recommend stable terraform and provider versions?

Any help would be much appreciated.

Hi @bigred247,

The warning is suggesting that you remove "${ and }" not just ${ and }. Note that the quotes are included too! In other words, your provider block should look like this:

provider “aws” {
  version = “~> 2.67”

  region                      = var.aws_region
  access_key                  = var.aws_access_key
  secret_key                  = var.aws_secret_key
  skip_credentials_validation = true
  skip_requesting_account_id  = true

With the quotes, you set your access key to literally the string var.aws_access_key, which is not a valid AWS access key id. We instead want the value of the variable called aws_access_key, so we write it without quotes.

While we’re discussing this, note also that setting access_key and secret_key in the configuration is not necessary in this case. Those arguments are provided only for exceptional circumstances.

Instead, you should configure your credentials the same way as for the AWS CLI, such as by running aws configure with the AWS CLI already installed. That way you can set up your credentials only once and use them with both Terraform and with the AWS CLI, and you can just run terraform apply normally without any funny extra options to set the variables.

This means you can also provide credentials differently depending on where you are running Terraform: in future you might decide to run Terraform on an EC2 instance, in which case you can use EC2 instance metadata credentials so the Terraform AWS provider will automatically obtain temporary credentials using the EC2 instance’s IAM Instance Profile and you won’t need to manually create any credentials files at all.

1 Like

Hi @bigred247

I just upgraded from Terraform 0.11 to 0.12 and had to fix many of the same issues. The new release has removed some complexity and simplified variables.

Since you are starting to build your production environment I suggest that you apply some best practices now, as most production infrastructure is difficult to modify once you are running with users and production workloads.

I have a full tutorial with an example for AWS and the best practices that have worked for me. The tutorial “text” stills uses 0.11 but all the source code has been upgraded to 0.12. Text will be “upgraded” in a few hours.

1 Like


Thank you very much for your detailed response. This is greatly appreciated and has resolved my problem. The error message was throwing me off somewhat but as you suggested it was the quote marks ("") causing the problem.

In reference to the access and secret key variables, I am deploying this through an Azure DevOps pipeline into AWS so need the variables in place but completely agree with your points about ec2 instance profiles and aws configure.

Thanks again :o)


This look like great detailed documentation. I have had a high-level look but will definitely read through it this weekend to implement some best practices.