-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
terraform commands fail to detect expired AWS security tokens #4502
Comments
I'm experiencing this bug as well. |
Any update on this issue? |
This is also affecting me as well whenever I do longer running provisioning such as RDS instances. Since it takes so long for RDS instances to provision, the token I'm using will time out leaving Terraform in a state of constant waiting. This actually corrupts my state pretty badly as when I exit the command and attempt to rectify, it doesn't seem to sync the state properly. |
Ideally, this error should be exposed to the user rather than only the debug logs:
|
In my work environment we authenticate to aws via a Federated connection. I found (the very hard way) that having failed to "login" in this morning Ideal result would be for terraform plan to halt and report an error message to the user reporting connection failure(s). A simple message of "Connection Failure" would be far more informative than the vague log data. As well, I disagree with forcing the user to depend on having to view a log file to obtain this level of data. This does defeat various levels of automation and allowing 'junior' or 'lesser skilled persons' executing scripts. < My 2 cents ... Log output:
|
I think this could be not a bug because a user can refresh credential while Terraform is retrying. |
From where would I find these warning messages? |
Related to issues #1351, #1307, #2068, and PR #6992. tl;dr If credentials expire and the problem cannot be resolved, terraform should report that there is a problem. Currently credential expiration is opaque to users (it isn't reported at the default logging level). Currently, when credentials expire, terraform loops until the modification timeout for its active resource expires, then complains about being unable to write its state. This does not clearly convey that there is an issue that needs to be resolved while trying to modify resources, nor does it convey that there was a credential problem earlier on when the persistence of the state file fails. To the user, it appears that the active resource was taking a long time to modify, and as a result credentials expired, resulting in the end of the build at that time. In truth, cause and effect were flipped: the credentials expired, causing the active resource to "take a long time" to modify. Here are the scenarios when credentials expire midway through
The second use case is not addressed. The first use case may be addressed, but I haven't tried it so I can't say. |
Pretty sure this behavior is coming from the SDK itself and probably related to aws/aws-sdk-go#925 |
I experienced this as well when creating a large redis cluster. After 1 hour the credentials stopped working and the process hung. I also needed to |
I'm 99% sure this is the underlying SDK. Looking at the provider code there's no reference to ExpiredToken errors, and most (all?) of the CRUD functions are just returning whatever error the SDK sends back, which says to me that the SDK just isn't returning when it hits an ExpiredToken error and can't refresh its credentials. |
Hitting this too. If you are using a system that rotates credentials frequently (like hourly) this gets really annoying. |
Why was this closed? This is still an ongoing issue. I'm on what the download page lists as the latest version: |
I have faced with an issue in terraform |
I just run into a hung terrform session also. |
and the logs:
|
Any updates on this? I do not face this when I do a terraform plan but when I try to import a resource. |
Bug still in latest -
|
I have the same issue. Even refreshing credentials behind the scenes while it's "Still modifying..." doesn't do anything. It just keeps plugging away with the old credentials. |
This is closed by events. See hashicorp/aws-sdk-go-base#362 for more details. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
This issue was originally opened by @scubahub as hashicorp/terraform#18024. It was migrated here as a result of the provider split. The original body of the issue is below.
Im using the AWS provider and relying on terraform to access using the values defined in the default ~/.aws/credentials and ~/.aws/config files. The credentials entries include
aws_session_token
which terraform does seem to pick up. However when that token is expired and I try toterraform plan
, terraform tries to connect to AWS 15 times then just hangs.At that point ctl-c says it's gracefully shutting down, but it never does. Have to ctl-c it a second time.
Terraform Version
Terraform Configuration Files
Debug Output
The following is the result for every attempt to terraform makes to login to aws:
Here is the output after ctl-c:
Expected Behavior
Terraform should exit and notify the user their credentials are expired.
Actual Behavior
Terraform never returns
Steps to Reproduce
terraform init
terraform plan
The text was updated successfully, but these errors were encountered: