STS AssumeRole error after upgrading AWS provider to v4.0.0

Hi there,

I just upgraded AWS provider from v3.63.0 to v4.0.0 and it started failing on assume_role, throwing in:

Error: error configuring Terraform AWS Provider: IAM role (xxxx) cannot be assumed.

Error: operation error STS: AssumeRole, https response error StatusCode: 403, .....

This is my provider configuration:

provider "aws" {
  allowed_account_ids = ["123456789012"]
  region              = "eu-west-2"

  assume_role {
    role_arn = "arn:aws:iam::<account_id>:role/<role_name>"
  }
}

which [is/]was working perfectly fine with v3.xx.x for last couple of yrs. or so. What am I missing here with v4? Could anyone provide me some info please?

any pointer(s) from anyone? I still couldn’t figure out what’s wrong and totally stuck :cry:

-S

I don’t think we necessarily need TF v14 for AWS provider v4.x.x - do we?

okay, finally figured out the reason: Our STS (and any service like that) access is through the VPC Endpoint and the provider upgrade seemed switch the V2 of AWS API library, which seems to have some issues with STS, as it goes through the region specific endpoint, instead of proxy to the Internet. The VPCe condition had to apply to the IAM role to allow regional STS endpoint to be used instead. After that, it started working again, without any modification to provider configuration.

It should be mentioned in the V4-upgrade documentation, IMO.

-S

2 Likes