Problem
When connecting to HCP Terraform (formerly Terraform Cloud) using the remote or cloud backend and attempting to pass AWS credentials using the shared_credentials_file argument in the provider, you may get the following error:
Error: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Cause
This error occurs if the location of the AWS credential file is outside of the repository directory structure of the code. For example, if within your code the location of the AWS credential file is configured as shared_credentials_file = $HOME/.aws/credentials
and the Terraform code is (more than likely) not in the user$HOME
directory. Terraform Cloud workers container will not be able to find the path and load the$HOME/.aws/credntials
. Terraform Cloud workers are disposable Linux virtual machines that have no access to your local computer. It works only within the configured repository directory.
Solution
To get around the error it's necessary to move the AWS credentials file to the same repository location of the code and reference that location in theshared_credentials_file
argument in the Terraform providers code block. Now the Terraform worker can locate and read the AWS credentials during the run.
However, there is a word of caution. Those AWS secrets in the credential file will be stored in plain text and pose a security risk. Hard-coded credentials are not recommended in any Terraform configuration and risk secret leakage should this file ever be committed to a public version control system.
The recommended way of storing AWS credentials is within the Terraform Cloud Workspace Environment variables. The variables contain a sensitive flag and when marked it will be hidden. To view and manage a workspace's variables, navigate to the workspace in question and click the "Variables" navigation link at the top. These instructions are further detailed and referenced in the UI managing environment variables section documentation.