Hi Team,
I’m encountering an issue while using Terraform with AWS SSO authentication for one of our sandbox accounts. Although AWS CLI works correctly after logging in via SSO, Terraform fails to authenticate and throws an InvalidClientTokenId error when attempting to import or manage resources.
Working:
AWS CLI successfully authenticates via SSO.
CLI commands like sts get-caller-identity return valid identity and credentials.
Resource management via CLI is functioning as expected.
Not Working:
Terraform fails to authenticate using the same profile.
Error message:
Error: Retrieving AWS account details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, api error InvalidClientTokenId
Troubleshooting Steps Taken:
Verified Terraform and AWS provider versions support SSO.
Set AWS_PROFILE environment variable.
Added credential_process to AWS config.
Cleared CLI cache.
Manually exported temporary credentials using environment variables (which worked temporarily).
Despite these efforts, Terraform consistently fails to authenticate via SSO. I suspect this may be due to Terraform’s limited support for sso_session configuration on Windows.
Could you please advise on a recommended workaround or configuration that enables Terraform to reliably use AWS SSO credentials?
Thanks in advance for your support.