How do the AWS credentials get passed to terraform?

(ben.byers) #1

I’m trying to use the built in terraform steps in octopus deploy (2018.9.2) and I’m running into problems with authentication. This occurs when another (custom) step runs the aws configure command to set the access key, and session token for AWS CLI commands to use. After running that custom step an aws.credentials file is created in the user’s home directory as expected, however, if that file exists, the built in terraform step fails to authenticate, apparently because it’s getting the credentials from that file instead of from the AWS account that it was configured to use. If I delete the .credentials file, then the terraform step works as expected.

I’m trying to understand how to get these two processes to co-exist peacefully, so my question is how do the built in Terraform steps pass the credentials to terraform\aws CLI? We are using AWS accounts that are managed by Octopus, and they are performing role switching (if that makes a difference). Again, I am confident the configuration is correct because it works like a charm if you delete the .credentials file.

Here’s the error I get:

Error: Error refreshing state: 1 error(s) occurred:

  • Error creating AWS session: SharedConfigLoadError: failed to load config file, C:\Windows\system32\config\\credentials caused by: INIParseError: invalid state with ASTKind { {4 NONE 0 [61]} true [{expr {1 STRING 0 Token data removed

(Shaun Marx) #2

Hi Ben, thanks for getting in touch,

When you configure the terraform step to use an AWS account then we set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY , AWS_DEFAULT_REGION environment variables which should be picked up by terraform automatically and won’t require you to manually set those details. We also set the AWS_SESSION_TOKEN based on the AWS account details once authenticated which should be picked up by terraform and honour the change in roles, however there could be some edge cases here where things may not work depending on how the provider was configured along with the AWS account in Octopus.

How are you currently configuring the AWS provider and are you assuming roles within the terraform template or are you specifying the role to assume directly on the Octopus account?