AWS_DEFAULT_PROFILE environment variable not respected

[gbonk]

I have set the AWS_DEFAULT_PROFILE but it's not being honored by terragrunt.

Terraform operates fine.

If I set AWS_PROFILE to the correct profile then terragrunt works fine
We are using the following versions of

Terraform v0.8.4
terragrunt version v0.9.3
aws-cli/1.11.36 Python/2.7.9 Windows/7 botocore/1.4.93

Here's the error I get, noting that I'm certain of having the S3 bucket available and accessable

$ terragrunt apply
[terragrunt] 2017/01/24 11:07:04 Reading Terragrunt config file at C:/dev/devops-poc/devops/infrastructure/devops/.terragrunt
[terragrunt] 2017/01/24 11:07:04 Initializing remote state for the s3 backend
[terragrunt] 2017/01/24 11:07:04 WARNING: encryption is not enabled on the S3 remote state bucket poc.devops.icct.com. Terraform state files may contain secrets, so we STRONGLY recommend enabling encryption!
[terragrunt]  Remote state S3 bucket poc.devops.icct.com does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n) y
[terragrunt] 2017/01/24 11:07:09 Creating S3 bucket poc.devops.com
AuthorizationHeaderMalformed: The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential.
        status code: 400, request id: 2EF02673D482B306
[terragrunt] 2017/01/24 11:07:09 AuthorizationHeaderMalformed: The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential.
        status code: 400, request id: 2EF02673D482B306

[josh-padnick]

@gbonk I think what's going on here is that the awscli uses the AWS_DEFAULT_PROFILE env var, but the AWS SDK for Go does not. If you check out the AWS SDK for Go docs, it appears that only the AWS_PROFILE env var is used by the AWS SDK for Go. To use a default profile, you actually have to name that profile [default].

Does switching to AWS_PROFILE solve the problem?

[josh-padnick]

@gbonk I think what's going on here is that the awscli uses the AWS_DEFAULT_PROFILE env var, but the AWS SDK for Go does not. If you check out the AWS SDK for Go docs, it appears that only the AWS_PROFILE env var is used by the AWS SDK for Go. To use a default profile, you actually have to name that profile [default].

Does switching to AWS_PROFILE solve the problem?

[robkinyon]

@josh-padnick I'm a coworker of @gbonk. The issue is that we have set the following in our provider-aws.tf:

provider "aws" {
  region = "${var.aws-region}"
  profile = "saml"
}

Doing a terraform plan works as expected, using the 'saml' AWS profile. It's only when we go to terragrunt plan that things don't work anymore. So, terragrunt isn't acting as a completely transparent wrapper.

[robkinyon]

@josh-padnick I'm a coworker of @gbonk. The issue is that we have set the following in our provider-aws.tf:

provider "aws" {
  region = "${var.aws-region}"
  profile = "saml"
}

Doing a terraform plan works as expected, using the 'saml' AWS profile. It's only when we go to terragrunt plan that things don't work anymore. So, terragrunt isn't acting as a completely transparent wrapper.

[josh-padnick]

The issue is actually that Terragrunt has its own AWS API calls separate from Terraform and that those calls use the default credential provider of the AWS Go SDK, which, per my previous comment doesn't support the AWS_DEFAULT_PROFILE value. It looks like even Terraform doesn't support AWS_DEFAULT_PROFILE.

Could you try just setting the AWS_PROFILE environment variable? It looks like that solutions worked on #21.

Adding explicit support for AWS profiles would be nice and is not something Terragrunt supports yet. You can track the progress at #48.

[josh-padnick]

The issue is actually that Terragrunt has its own AWS API calls separate from Terraform and that those calls use the default credential provider of the AWS Go SDK, which, per my previous comment doesn't support the AWS_DEFAULT_PROFILE value. It looks like even Terraform doesn't support AWS_DEFAULT_PROFILE.

Could you try just setting the AWS_PROFILE environment variable? It looks like that solutions worked on #21.

Adding explicit support for AWS profiles would be nice and is not something Terragrunt supports yet. You can track the progress at #48.

[josh-padnick]

Since #108 has been released and I believe I've addressed your issue, I'm going to close this issue. Feel free to comment if additional input is needed!

[josh-padnick]

Since #108 has been released and I believe I've addressed your issue, I'm going to close this issue. Feel free to comment if additional input is needed!

[gbonk]

That's fine for now. If we set both Variables, AWS_DEFAULT_PROFILE and AWS_PROFILE then everything works fine. Not elegant but it's a sufficient work around

[gbonk]

That's fine for now. If we set both Variables, AWS_DEFAULT_PROFILE and AWS_PROFILE then everything works fine. Not elegant but it's a sufficient work around