I have followed the documentation Using Dynamic Secrets in Terraform and everything works as documented when configured against us-east-1.
When I configure Vault to use the AWS Secrets Engine configured against cn-northwest-1 Terraform constantly fails with the below error
Error: error checking if credentials are valid: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id:on main.tf line 9, in data “vault_aws_access_credentials” “creds”:
9: data “vault_aws_access_credentials” “creds” {
Even though Terraform errors I can see that Vault is successfully creating and deleting leased users within the Chinese account when running plan or apply commands. Terraform seems unable to validate the credentials.
Below is a simplified code snippet which exhibits this issue
terraform {
backend "local" {
path = "terraform.tfstate"
}
}
provider "vault" {}
data "vault_aws_access_credentials" "creds" {
backend = "backend"
role = "role"
}
provider "aws" {
region = "cn-northwest-1"
access_key = "${data.vault_aws_access_credentials.creds.access_key}"
secret_key = "${data.vault_aws_access_credentials.creds.secret_key}"
}
resource "aws_s3_bucket" "tf_testbucket" {
bucket = "tf-testbucket-blah"
acl = "private"
tags = local.common_tags
}