Use variables in AWS provider configuration

Hey all,

I have these variables configured:

  type = string
  type = string

And this provider config

provider "aws" {
  region = "eu-west-2"
  access_key = var.PROVIDER_AWS_ACCESS_KEY
  secret_key = var.PROVIDER_AWS_SECRET_KEY

This doesn’t seem to work and I can see through terraform debug logs that it’s failing to auth. Setting the access_key and secret_key as a string rather than a variable in the provider config works as expected. Ideally I’d rather not have the credentials in plaintext is there anyway around this?

Hi @RyanW8,

The usual way to configure the AWS provider is to only include the region argument in your provider block, and let the provider automatically find credentials in the environment via the various standard AWS mechanisms, including environment variables, credentials files, and EC2 instance profiles.

By trying to pass credentials in directly through variables you are forcing this configuration to always use the static credentials authentication strategy, and so there would be no way to use it in an environment where some other strategy is expected, such as AssumeRole.

I must admit I don’t know why what you tried didn’t work – it seems like something is happening outside of the configuration snippet you shared here – but hopefully the cause of that won’t be important if you’re able to switch to the automatic authentication strategy instead.

1 Like