Specifying `skip_credentials_validation` but still getting `error validating provider credentials`


I’m looking for a way to run terraform plan as though it were against a brand new account on AWS, but without actually talking to AWS at all.

(The ultimate goal is for me to verify that some refactors are truly zero-change; my plan is to do terraform init && terraform plan -refresh=false -out=before.txt, make my changes, then same but with ... -out=after.txt and then compare. I know there will be order differences, but I can’t even get it to generate a plan…)

I tried this provider configuration block:

provider "aws" {
  region     = "us-east-1"
  # account_id = "12345678901"
  # access_key = "mock_access_key"
  # secret_key = "mock_secret_key"
  profile    = "nobody"

  skip_credentials_validation = true
  skip_get_ec2_platforms      = true
  skip_metadata_api_check     = true
  skip_region_validation      = true
  skip_requesting_account_id  = true

But I’m still seeing:

error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

If I specify an AWS_PROFILE (and fill it in with invalid values in my ~/.aws/config and ~/.aws/credentials files), it changes to:

error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.

Which is what I would expect if it’s trying to do credential validation with bogus values.

But why is it still trying to do any kind of credential fetching at all?

Terraform v1.2.9 on darwin_arm64
Tried aws providers v3.75.2 and v4.31.0

Thanks for any tips!