Fix web id assume role

[VictorCovalski]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Output from acceptance testing:

Fixes #25680.
Relates hashicorp/aws-sdk-go-base#178.
Relates #24441.

[github-actions]

Welcome @VictorCovalski 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[ewbankkit]

LGTM 🚀.

[ewbankkit]

@VictorCovalski Thanks for the contribution 🎉 👏.

[gdavison]

Thanks for this, @VictorCovalski! 🚀

[github-actions]

This functionality has been released in v4.22.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[azec-pdx]

@VictorCovalski, I believe that there has been regression with v4.22.0 of the provider in terms of how credentials chain behaves when assume_role_with_web_identity{} is present in provider config.

Behavior before v4.22.0

I have a Terraform module with these files:

versions.tf

terraform {
  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

providers.tf

provider "aws" {
  region              = var.region
  allowed_account_ids = [var.account_id]
  # Web Identity Role Federation only used in CI/CD
  assume_role_with_web_identity {
    role_arn           = var.ci_cd_role_ARN
    session_name       = var.ci_cd_sts_session_name
    duration           = var.ci_cd_sts_session_duration
    web_identity_token = var.ci_cd_web_identity_token
  }

  default_tags {
    tags = {
      # redacted
    }
  }
}

devops-account-globals.yaml (this is my top level YAML config that feeds TF root module variables)

terraform:
  vars:
    # Defines the order of labels which constitute name for all resources stacked:
    # {namespace}-{tenant}-{environment}-{stage}-{name}-{attributes}
    label_order:
     - "namespace"
     - "tenant"
     - "environment"
     - "stage"
     - "name"
     - "attributes"
    account_id: "REDACTED"
    ci_cd_role_ARN: "REDACTED"
    ci_cd_sts_session_name: "Terraform-CI-CD"
    ci_cd_sts_session_duration: "1h"
    # To be provided as TF_VAR_ci_cd_web_identity_token through CI/CD.
    # Setting empty string value breaks credentials chain lookup when OIDC IdP is not used (e.g.engineer workstations and
    # using Administrator SAML-federated IAM Role)
    ci_cd_web_identity_token: "FAILSAFE"

Before v4.22.0 with having ci_cd_web_identity_token set to value FAILSAFE, provider would attempt to 1st get STS session using STS: AssumeRoleWithWebIdentity and once that fails (because obviously "FAILSAFE" is not valid JWT token, intentionally), provider would proceed with other mechanisms to get AWS credentials. In scenario where I run terraform commands from my developer workstation, it would use my already persisted STS session saved in AWS_ environment variables.

Behavior after v4.22.0

All files above unchanged.
After upgrade to v4.22.0, with having ci_cd_web_identity_token set to value FAILSAFE, provider would attempt to 1st get STS session using STS: AssumeRoleWithWebIdentity and once that fails, provider doesn't even attempt further to continue with other methods to find AWS credentials (credentials chain stops).
I get the error:

Error: error configuring Terraform AWS Provider: IAM Role (REDACTED) cannot be assumed with web identity token.
│
│ There are a number of possible causes of this - the most common are:
│   * The web identity token used in order to assume the role is invalid
│   * The web identity token does not have appropriate permission to assume the role
│   * The role ARN is not valid
│
│ Error: failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, exceeded maximum number of attempts, 1, https response error StatusCode: 400, RequestID: 78672982-935a-4758-bd50-0f8a4c96f301, InvalidIdentityToken: The ID Token provided is not a valid JWT. (You may see this error if you sent an Access Token)

[azec-pdx]

I have just locked down my provider version with version = "~> 4.21.0" and confirmed above is true, just to double verify.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.