OIDC and AWS - "no valid credential sources"


I’m exploring the use of Terraform cloud for our infra. I’m trying to do a very basic test case - just a few S3 buckets - and I’m getting an error every time I plan.

Workspace has been setup up in the UI with the TFC_AWS_PROVIDER_AUTH and TFC_AWS_RUN_ROLE_ARN set of the organisation. OIDC provider and an IAM role created in our sandbox account. terraform init completes successfully. terraform plan gives the following error:

│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│ AWS Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on main.tf line 11, in provider "aws":
│   11: provider "aws" {

terraform and provider blocks:

terraform {
  cloud {
    organization = "org_name"
    workspaces {
      name = "sb_euw1_s3"

provider "aws" {
    region = var.aws_region

The trust policy on the OIDC provider looks correct but the error makes me think it’s not even getting that far. I’m at a loss as to what is happening here. Any idea what I’m missing?


Hi @MrCrispy,

I suspect that debugging this will require knowing exactly how you’ve configured your workspace environment variables, and so this seems like a question better asked through HashiCorp Support, where you’ll be able to share more information without disclosing it publicly.

The support team can also, with your permission, refer directly to certain settings in your workspace to look for potential problems that folks in this forum might not think to ask about.

If you do choose to contact the support team and you find a solution that does not disclose any sensitive information about your account in particular, it would be helpful to share some details here in case others with a similar question find this topic in future. Thanks!


I got in touch with Hashicorp support who made several suggestions. In the end my problem was that I was using the wrong project name in the trust policy for the AWS role. Once this was fixed the plan ran successfully.