Interestingly however, if I remove the profile = sandbox line from the provider block
provider "aws" {
region = "us-east-1"
}
and then look at the ~/.aws/cli/cached/[hash].json file with the SSO credentials
{
"ProviderType": "sso",
"Credentials": {
"AccessKeyId": "ASIAxxxxxxxxxxxxxxxZKPR",
"SecretAccessKey": "CpONxxxxxxxxxxxxxxxm51k",
"SessionToken": "IQoJxxxxxxxxxxxxxxxVty4=",
"Expiration": "2021-04-15T17:40:03UTC"
}
}
and performed the following:
export AWS_ACCESS_KEY_ID="ASIAxxxxxxxxxxxxxxxZKPR"
export AWS_SECRET_ACCESS_KEY="CpONxxxxxxxxxxxxxxxm51k"
export AWS_SESSION_TOKEN="IQoJxxxxxxxxxxxxxxxVty4="
terraform plan
I was pleased to see it return
An execution plan has been generated and is shown below.Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_s3_bucket.test will be created
+ resource "aws_s3_bucket" "test" {
+ acceleration_status = (known after apply)
+ acl = "private"
+ arn = (known after apply)
+ bucket = (known after apply)
+ bucket_domain_name = (known after apply)
+ bucket_regional_domain_name = (known after apply)
+ force_destroy = false
+ hosted_zone_id = (known after apply)
+ id = (known after apply)
+ region = (known after apply)
+ request_payer = (known after apply)
+ tags = {
+ "Name" = "Test bucket"
}
+ website_domain = (known after apply)
+ website_endpoint = (known after apply)
+ versioning {
+ enabled = (known after apply)
+ mfa_delete = (known after apply)
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
Just as I had originally expected. This at least shows it can use the credentials but it isn’t able to parse and determine the values on it’s own from the cached JSON files.