Problem
When using Vault-Backed Dynamic Credentials with the AWS Provider and multiple configuration aliases, a Terraform run fails with one of the following errors.
The first possible error message is:
Operation failed: auth type for Vault-backed AWS authentication must be one of: iam_user, assumed_role, federation_token
A related error message you might encounter is:
│ Error:
│ failed to load shared config file,
│ /home/tfc-agent/.tfc-agent/component/terraform/runs/run-4By5oNPaWF89NcpL/
│ tfc-vault-backed-aws-shared-credentials,
│ invalid state with ASTKind and TokenType none
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 45, in provider "aws":
│ 45: provider "aws" {Cause
This issue was caused by a bug in Terraform Enterprise and the Terraform Enterprise agent that prevented the correct handling of Vault-backed credentials with multiple AWS provider aliases.
Solution
To resolve this issue, you must upgrade both Terraform Enterprise and the TFE agent to the specified versions or higher.
- Upgrade Terraform Enterprise to version v202312-1 or a later version.
- If you use external agents, upgrade them to version 1.14.1 or a later version.
Example Configuration
This section provides an example of a configuration that would encounter the issue on unpatched versions. In this example, an AWS provider alias named north is created.
Workspace Variables
You must add the following environment variables to your workspace.
TFC_VAULT_PROVIDER_AUTH = true TFC_VAULT_ADDR = https://<your_vault_host>:8200 TFC_VAULT_RUN_ROLE = tfc-role TFC_VAULT_BACKED_AWS_AUTH = true TFC_VAULT_BACKED_AWS_AUTH_TYPE = iam_user TFC_VAULT_BACKED_AWS_RUN_VAULT_ROLE = my-role TFC_VAULT_BACKED_AWS_AUTH_north = true TFC_VAULT_BACKED_AWS_AUTH_TYPE_north = iam_user TFC_VAULT_BACKED_AWS_RUN_VAULT_ROLE_north = my-role-north
Terraform Configuration
This configuration adds the AWS provider alias for north, includes the shared_credentials_files argument for all AWS providers, and defines the required variabletfc_vault_backed_aws_dynamic_credentials.
terraform {
cloud {
hostname = "<your tfe host>"
organization = "<your org>"
workspaces {
name = "<your workspace>"
}
}
required_providers {
vault = {
source = "hashicorp/vault"
version = "3.21.0"
}
aws = {
source = "hashicorp/aws"
version = "5.22.0"
}
}
}
provider "vault" {
## skip_child_token must be explicitly set to true as TFC manages the token lifecycle
skip_child_token = true
address = var.tfc_vault_dynamic_credentials.default.address
namespace = var.tfc_vault_dynamic_credentials.default.namespace
auth_login_token_file {
filename = var.tfc_vault_dynamic_credentials.default.token_filename
}
}
provider "aws" {
region = "us-east-1"
shared_credentials_files = [var.tfc_vault_backed_aws_dynamic_credentials.default.shared_credentials_file]
}
provider "aws" {
alias = "north"
region = "us-east-1"
shared_credentials_files = [var.tfc_vault_backed_aws_dynamic_credentials.aliases["north"].shared_credentials_file]
}
variable "tfc_vault_dynamic_credentials" {
description = "Object containing Vault dynamic credentials configuration"
type = object({
default = object({
token_filename = string
address = string
namespace = string
ca_cert_file = string
})
})
}
variable "tfc_vault_backed_aws_dynamic_credentials" {
description = "Object containing Vault-backed AWS dynamic credentials configuration"
type = object({
default = object({
shared_credentials_file = string
})
aliases = map(object({
shared_credentials_file = string
}))
})
}
# Your resources for the different providers below