HCP Terraform: Drift Detection Fails with 403 Unauthorized error

Avatar
William Lee
  • Updated

Problem 

HCP Terraform may fail during Drift Detection due to problems with authorization:

{:error=>"RestClient::SSLCertificateNotVerified", :id=>999999, :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)"}
Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 88888888-3756-4753-96f6-8888888888, api error ExpiredToken: The security token included in the request is expired{:exception=>"Faraday::SSLError", :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)"

Cause

Drift checks rely on a snapshot of the last successful run on a workspace. The snapshot may include credentials for the downstream providers that may have expired since the successful run.

Solution

Option A — Trigger a New Run with Valid Credentials (Immediate Fix)

To refresh the snapshot used by drift detection:

  1. Update credentials (rotate keys, renew certificates).
  2. Queue a new plan/apply in the workspace so HCP Terraform captures up‑to‑date provider credentials.
  3. Re‑run Drift Detection from Health Assessments.

Option B — Adopt Dynamic Provider Credentials (Long‑Term Fix)

Dynamic credentials (OIDC workload identity) provide fresh, short‑lived credentials per run, eliminating reliance on long‑lived static secrets in snapshots and substantially reducing 403/expired token incidents. 

Benefits:

  • New temporary credentials are minted for each plan/apply.
  • No manual rotation needed; snapshots stop embedding long‑lived secrets.
  • Aligns with cloud IAM best practices and reduces drift detection auth failures

Get started:

Agent note: If you self‑host HCP Terraform agents, ensure agent v1.7.0+ (or newer as indicated) to use the latest dynamic credentials features.

Articles in this section

See more

Related articles