AWS provider 4.0 "no valid credential sources for Terraform AWS Provider found" problem in AWS Cloud

Problem

After upgrading the Terraform AWS Provider to version 4.0 or later, you may encounter the following error during a run, even when valid credentials are provided:

no valid credential sources for Terraform AWS Provider found

Prerequisites

• You are using the Terraform AWS Provider version 4.0 or later.
• Terraform runs are initiated from an Amazon EC2 instance, such as in a self-hosted Terraform Enterprise installation or with HCP Terraform agents executing on EC2 instances.

Cause

This error occurs because the AWS provider cannot connect to the EC2 metadata service (IMDS) for authentication. Version 4.0 of the provider defaults to using IMDSv2, which requires a specific http-put-response-hop-limit setting on the EC2 instance. If this value is not set or is too low, the provider cannot retrieve credentials.

Solutions

There are two solutions to this issue. The recommended long-term solution is to update the EC2 instance metadata.

Solution 1: Downgrade the AWS Provider

As a temporary workaround, you can pin the AWS provider version to an earlier release, such as 3.74.3, that does not default to IMDSv2.

Update your provider configuration to set a version constraint.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.74.3"
    }
  }
}

Solution 2: Increase the EC2 Instance Metadata Hop Limit

The recommended solution is to configure the EC2 instance to support IMDSv2 by increasing the HttpPutResponseHopLimit.

1. Ensure you have installed AWS CLI version 2 and have configured it to connect to the correct AWS account and region.

2. Identify the INSTANCE_ID of the EC2 instance. You can find this in the EC2 Console or by using the aws ec2 describe-instances command.

   $ aws ec2 describe-instances

3. Use the aws ec2 modify-instance-metadata-options command to update the instance's metadata options. Replace $INSTANCE_ID with your actual instance ID. The http-put-response-hop-limit may need adjustment based on your environment, but a value of 2 is often sufficient.

   $ aws ec2 modify-instance-metadata-options \
       --instance-id $INSTANCE_ID \
       --http-tokens required \
       --http-endpoint enabled \
       --http-put-response-hop-limit 2

   The command returns output similar to the following, indicating the change is pending.

   {
     "InstanceId": "i-06e95fec9e1cc4ff4",
     "InstanceMetadataOptions": {
       "State": "pending",
       "HttpTokens": "required",
       "HttpPutResponseHopLimit": 2,
       "HttpEndpoint": "enabled"
     }
   }

4. Verify that the settings have been applied. The State should transition to applied.

   $ aws ec2 describe-instances --instance-id $INSTANCE_ID

   The output will contain a MetadataOptions section confirming the new settings.

   ## ...
   "MetadataOptions": {
       "State": "applied",
       "HttpTokens": "required",
       "HttpPutResponseHopLimit": 2,
       "HttpEndpoint": "enabled"
   }
   ## ...

After the instance metadata is updated, subsequent Terraform runs should complete without authentication errors.

Additional Information

• For more context on this issue in Terraform Enterprise, refer to the article on Required Additional Configuration When Using IMDSv2.