The s3 backend is acting differently when assuming a role vs the aws cli and I’m not able to understand why.
Environment setup:
I’m using Nike’s gimmeawscreds utility to retrieve temporary credentials for a role that I’m able to assume with an SSO integration. This first role I’m assume has access to be able to assume a role in a different account and I’ve setup my aws config file with a profile for second role that references as the profile_source the first role.
Issue/Different expected behavior:
After I authenticate with the first role I’m able to run the aws sts get-caller-identity command specifying the second role’s profile name in the arguments and I get back the assumed second role in from the other account in the json. I can also run commands against other services that the second role has access and get results back specific to the second role’s account.
In the backend configuration for the terraform provider I’m setting the remote state to assume the same profile I’ve successfully used in the CLI. However when I attempt to initialize the backend I get a failed to refresh cached credentials error and it appears to be trying to use perform another assume role into the first role instead of just using the existing credentials to perform an assume role into the second role.
Backend Config:
terraform {
backend "s3" {
bucket = "my-state-bucket"
key = "terraform.tfstate"
region = "us-east-1"
dynamodb_table = "terraform-state-lock"
assume_role = {
role_arn = "arn:aws:iam::9876543210:role/second-role"
session_name = "terraform"
}
}
}
AWS Config
[profile first-role]
region = us-east-1
role_arn = arn:aws:iam::1234567890:role/first-role
source_profile = first-role
[profile second-role]
region = us-east-1
role_arn = arn:aws:iam::0987654321:role/second-role
source_profile = first-role
Why does the backend provider appear to need to do an assume on the role first again using the existing first role’s credentials before trying to assume the second role?