How to skip all aws provider credentials checks

Fran-Rg · November 25, 2024, 3:57pm

I’m using a module which creates kubernetes and aws resources. There’s a flag skipping the aws resources creation which I’m using. All aws resources have count 0. Thus in a way I don’t need an aws provider. If I remove it terraform complains it’s required. But if I leave the provider then it complains:

│ Please see Terraform Registry
│ for more information about providing credentials.
│
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, access disabled to EC2 IMDS via client option, or
│ “AWS_EC2_METADATA_DISABLED” environment variable

This is an example explaining the code I’m using:

provider "aws" {
  skip_credentials_validation = true
  skip_metadata_api_check     = true
  skip_region_validation      = true
  skip_requesting_account_id  = true
}
resource "aws_s3_bucket" "disabled"{
    count = 0
    bucket = "hello-world"
}

You can reproduce the issue by calling:

docker run --rm -it -w $PWD -v $PWD:$PWD  --platform=linux/amd64 hashicorp/terraform:1.9.8 init
docker run --rm -it -w $PWD -v $PWD:$PWD  --platform=linux/amd64 hashicorp/terraform:1.9.8 plan

Is there something I could do to mock it? I found the mock providers but they can’t be used in this context right (Tests - Provider Mocking | Terraform | HashiCorp Developer) ?

jar-b · December 9, 2024, 9:41pm

I believe this will work as desired as long as a profile is configured (even without valid credentials). For example, either set AWS_PROFILE or use the profile attribute.

provider "aws" {
  skip_credentials_validation = true
  skip_metadata_api_check     = true
  skip_region_validation      = true
  skip_requesting_account_id  = true

  profile = "something-that-exists"
}

resource "aws_s3_bucket" "disabled" {
  count  = 0
  bucket = "hello-world"
}

% echo $AWS_PROFILE # verify nothing else is set in the environment

% terraform plan

No changes. Your infrastructure matches the configuration.

If necessary you could mock out the config and credentials files instead of relying on these to be present in the standard location the AWS SDK expects (~/.aws):

Terraform Registry

jar-b · December 9, 2024, 9:49pm

The same is true for setting dummy access/secret keys in the provider config - though I’m not sure this translates as well to the contexts in which you actually need to use the AWS provider.

provider "aws" {
  skip_credentials_validation = true
  skip_metadata_api_check     = true
  skip_region_validation      = true
  skip_requesting_account_id  = true

  access_key = "foo"
  secret_key = "bar"
}

resource "aws_s3_bucket" "disabled" {
  count  = 0
  bucket = "hello-world"
}

In short, the provider expects to have some credential source to try (access key, profile, assume role block, etc.), even if eventually all validation of those credentials are skipped.

Fran-Rg · December 10, 2024, 5:59pm

That did it thanks. I’ve not tried with the aws_profile part. Yes no issue that the provider is 100% broken for AWS

Topic		Replies	Views
Specifying `skip_credentials_validation` but still getting `error validating provider credentials` AWS	0	982	September 20, 2022
Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found AWS	7	12066	March 16, 2024
Failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds AWS	2	13970	March 18, 2024
Error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found AWS	14	41073	January 15, 2025
Unused aws provider/resource failing during plan Terraform	2	952	December 2, 2022

How to skip all aws provider credentials checks

Related topics