Can you use your AWS CLI to connect to your AWS account? like listing your AWS s3 buckets? based on the error I think you didn't configure your AWS by doing aws configure
on your CLI. which will require you to have an access key id and secret for the setup.
You must configure AWS' credentials in the Terraform Cloud
. In the Terraform Cloud
platform, go to Settings -> Variable Sets -> Create Variable Set
, put some "name", check "Apply to all workspaces in this organization" and click on buttom "Add Variable". Select "Environment variable" option, and inform the key=AWS_ACCESS_KEY_ID
and value="Access key ID"
. The "Acces key ID" is the ID from AWS credential(IAM). Check the "sensitive" checkbox and click on buttom "Add Variable". So, retry this process to add a new Environment variable
with the key/value
pair AWS_SECRET_ACCESS_KEY/Secret access key of AWS credential
. Finally, click on buttom "Create variable set". Retry the terraform plan
command. See more in https://developer.hashicorp.com/terraform/tutorials/aws-get-started/aws-remote#set-workspace-variables
There is a safe way to authenticate Terraform Cloud with AWS, which avoids secrets entirely:
- Create an IAM identity provider
- Create an IAM role which trusts that provider
- Add two environment variables to Terraform Cloud
1. Create an IAM identity provider:
2. Create an IAM role which trusts that provider:
The role includes a trust relationship that looks like this. Replace
my-tfc-org
with the name of your organization in Terraform, and<aws-account-id>
with your aws account number.Also attach to the role all the permissions your terraform needs.
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<aws-account-id>:oidc-provider/app.terraform.io"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"app.terraform.io:aud": "aws.workload.identity"
},
"StringLike": {
"app.terraform.io:sub": "organization:my-tfc-org:project:*:workspace:*:run_phase:*"
}
}
}
]
}
3. Add two environment variables to Terraform Cloud:
The value of TFC_AWS_RUN_ROLE_ARN points to the role you created above:
This answer is a reproduction of the AWS documention here:
I had a similar issue.
To resolve it first add the backend configuration setting like the following example:
backend "remote" {
hostname = "app.terraform.io"
organization = "org-example"
workspaces {
name = "my-aws-app"
}
}
Then in the terminal do:
terraform init -reconfigure
Then go to Terraform Cloud, select your workspace, in my example my-aws-app and then under Variables/Workspace variables select add variables and add AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
making sure you choose environment variable when selecting it on the top.
Then you can go back to the terminal and do
terraform plan
And it should work fine now.