Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terraform ignores skip_credentials_validation flag for s3 backend with custom endpoint. #33983

Closed
mmeintker-tc opened this issue Oct 4, 2023 · 8 comments · Fixed by #34002
Closed

Terraform ignores skip_credentials_validation flag for s3 backend with custom endpoint. #33983

mmeintker-tc opened this issue Oct 4, 2023 · 8 comments · Fixed by #34002
Labels
backend/s3 bug new new issue not yet triaged v1.6 Issues (primarily bugs) reported against v1.6 releases
Milestone
v1.6.1

Comments

@mmeintker-tc
Copy link

mmeintker-tc commented Oct 4, 2023
edited

Terraform Version

Terraform v1.6.0
on linux_amd64

Terraform Configuration Files

Provider config:

terraform {
  required_version = ">= 0.13"
  required_providers {
    openstack = {
      source = "terraform-provider-openstack/openstack"
    }
  }
  # will use backend tfvars file
  backend "s3" {}
}

tfvars:

endpoints = {
  s3 = "https://ceph.mydomain.tld:7480"
}
bucket = "tfstates"
key = "tfstate"
use_path_style = true
region = "us-east-1"
skip_credentials_validation = true
skip_region_validation = true

Debug Output

Initializing the backend...

│ Error: Retrieving AWS account details: AWS account ID not previously found and failed retrieving via all available methods. See https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id for workaround and implications. Errors: 2 errors occurred:
│ * retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: XXX, api error InvalidClientTokenId: The security token included in the request is invalid.
│ * retrieving account information via iam:ListRoles: operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: XXX, api error InvalidClientTokenId: The security token included in the request is invalid.




Error: Process completed with exit code 1.

Expected Behavior

Terraform should just initialize like it did with v1.5.5.

Actual Behavior

It tries to retrieve AWS account details, which it cannot becuase I'm not using an AWS backend.

Steps to Reproduce

  1. export AWS_SECRET_ACCESS_KEY=<your S3 secret key>
  2. export AWS_ACCESS_KEY_ID=<your S3 access key>
  3. terraform init -backend-config=backend.tfvars

Additional Context

Reverting back to terraform v.1.5.5 fixed this issue.

References

No response
@mmeintker-tc mmeintker-tc added bug new new issue not yet triaged labels Oct 4, 2023
@crw crw added the backend/s3 label Oct 4, 2023
josephpage added a commit to DNUM-SocialGouv/1j1s-front that referenced this issue Oct 5, 2023
@josephpage
fix(ci): revert terraform to 1.5.7 because of hashicorp/terraform#33983
87f113e
@josephpage josephpage mentioned this issue Oct 5, 2023
Merged
josephpage added a commit to DNUM-SocialGouv/1j1s-front that referenced this issue Oct 5, 2023
@josephpage
fix(ci): revert terraform to 1.5.7 because of hashicorp/terraform#33983
840fde9 
… (#2103)
@apparentlymart apparentlymart added the v1.6 Issues (primarily bugs) reported against v1.6 releases label Oct 5, 2023
@hloeung
Copy link

hloeung commented Oct 5, 2023
edited

Does the s3 backend need to expose the skip_requesting_account_id option as per the aws provider? So &awsbase.Config{} in https://github.com/hashicorp/terraform/blob/main/internal/backend/remote-state/s3/backend.go#L958C9-L958C24 ?

@hloeung hloeung mentioned this issue Oct 5, 2023
Closed
@josephpage
Copy link

This parameter is absolutely necessary if you want to use S3-compatible storage systems such as Ceph, Minio, Digitalocean, OVH or Scaleway as a backend, as they do not implement the STS API.

@knoppiks knoppiks mentioned this issue Oct 6, 2023
Merged
@cameronharriss
Copy link

For the above pull req would we use just the param in 1.6.1 using:

skip_requesting_account_id = true

@andrewsomething andrewsomething mentioned this issue Oct 6, 2023
Closed
@gdavison gdavison added this to the v1.6.1 milestone Oct 6, 2023
This was referenced Oct 9, 2023
Closed
Merged
@teamterraform teamterraform mentioned this issue Oct 9, 2023
Merged
@logica0419 logica0419 mentioned this issue Oct 10, 2023
Merged
@bestrocker221
Copy link

bestrocker221 commented Oct 28, 2023
edited

It still does not work in v1.6.2

Tried to set

    skip_region_validation      = true
    skip_credentials_validation = true
    skip_requesting_account_id  = true
    skip_metadata_api_check     = true

but keep getting

│ Error: Retrieving AWS account details: AWS account ID not previously found and failed retrieving via all available methods. See https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id for workaround and implications. Errors: 2 errors occurred:
│       * retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.XXXXX.amazonaws.com/": dial tcp: lookup sts.XXXXX: no such host
│       * retrieving account information via iam:ListRoles: operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: ...... , api error InvalidClientTokenId: The security token included in the request is invalid.

@KaMaToZzz
Copy link

KaMaToZzz commented Nov 1, 2023
edited

@josephpage @jar-b Any idies how fix this?

@lotusnoir
Copy link

I got it working replacing

endpoint = "https://s3.fr-par.scw.cloud"

by

    endpoints = { s3 = "https://s3.fr-par.scw.cloud" }
    skip_requesting_account_id = true

then

terraform init -reconfigure

@artem-lifshits artem-lifshits mentioned this issue Nov 8, 2023
Closed
@cdtzabra
Copy link

Moved from tf 1.6.0 to 1.6.4 and by adding skip_requesting_account_id = truefix the issue for me.

skip_requesting_account_id = truewas not recognized by tf 1.6.0

@llunaCreixent llunaCreixent mentioned this issue Nov 23, 2023
Closed
@patrick-hermann-sva patrick-hermann-sva mentioned this issue Nov 25, 2023
Closed
@andrewsomething andrewsomething mentioned this issue Dec 4, 2023
Closed
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
backend/s3 bug new new issue not yet triaged v1.6 Issues (primarily bugs) reported against v1.6 releases
Projects
None yet
Milestone
v1.6.1
Development

Successfully merging a pull request may close this issue.

Add skip_requesting_account_id Parameter to S3 Backend knoppiks/terraform