Using AWS credential environment variables with TF Cloud

jaknn · June 17, 2020, 2:09pm

I am trying to pass the access key ID, secret key, and session key returned by a call to sts.AssumeRole() to my Terraform Cloud workspace. After reviewing the documentation and several posts, here is my current approach which is failing with a “No valid credential sources found for AWS Provider”:

Remote backend correctly configured to point to my TF Cloud Workspace and authenticate using an API token obtained from terraform login.
Variables in a credentials.auto.tfvars file in the same directory as my main.tf file:

aws_access_key = "ASIA......"
aws_secret_key = "[my_secret_key]"
aws_session_token = "[my_session_token]"

variables in my main.tf file:

variable "aws_access_key" {}
variable "aws_secret_key" {}
variable "aws_session_token" {}

Use those variables to create tfe_variables of category “env” in my remote workspace:

locals {
  common_variables = {
    AWS_ACCESS_KEY_ID = var.aws_access_key
    AWS_SECRET_ACCESS_KEY = var.aws_secret_key
    AWS_SESSION_TOKEN = var.aws_session_token
  }
}

resource "tfe_organization" "my-tfe-org" {
  name  = "my-org-name"
  email = "myemail@company.com"
}

resource "tfe_workspace" "my-tfe-workspace" {
  name         = "my-workspace-name"
  organization = tfe_organization.my-tfe-org.id

resource "tfe_variable" "shared" {
  for_each = local.common_variables

  workspace_id = tfe_workspace.my-tfe-workspace.id
  category     = "env"
  key          = each.key
  value        = each.value
  sensitive    = true
}

Then I reference the aws provider and create some resources:

provider "aws" {
  region  = "us-east-1"
}

resource "aws_iam_role" "role" {
...
}

As stated above the error is: “Error: No valid credential sources found for AWS Provider.”

apparentlymart · June 17, 2020, 6:34pm

Hi @jaknn,

It looks like you are using Terraform to manage the environment variables associated with your workspace. Are your configurations in steps one through four in a separate Terraform Cloud workspace than the configuration you showed in step 5? Having a Terraform workspace modify its own settings as part of its own configuration isn’t supported.

jaknn · June 17, 2020, 6:44pm

I was trying this all in one workspace. What you are saying makes sense. So, I should have a separate TF Cloud workspace to execute the plan to configure the environment variables of the second workspace where my AWS plans will be applied?

apparentlymart · June 18, 2020, 2:08am

Yes, if you intend to manage your Terraform Cloud workspaces with Terraform Cloud itself then you’ll usually have at least one workspace manually created and configured to automate the management of the others.

It is in principle possible to then import your manually-created workspace into its own state using terraform import and manage it with Terraform moving forward, but that is a very risky setup because a mistake could lead to you deleting or otherwise damaging the management workspace through a change to its own configuration, and (as you’ve seen) any changes you might try to apply to the management workspace through its own configuration will take effect only after the run completes, too late for it to rely on those changes.