0

I'm using Terraform version 0.11.10 and I've setup the S3 backend and it works locally when I use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables for authentication.

provider "aws" {
  region  = "eu-west-1"
}

terraform {
  backend "s3" {
    bucket         = "terraform-state-xxxxx"
    region         = "eu-west-1"
    key            = "terraform/dev.tfstate"
    dynamodb_table = "terraform-locks"
  }
}

However when I try to run the exact same code in the hashicorp/terraform:0.11.10 Docker container on Codeship with the same environment variables it gives the following error:

Initializing the backend...

Error configuring the backend "s3": InvalidClientTokenId: The security token included in the request is invalid.

If I set skip_credentials_validation = "true" then I get the following:

InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.

Why is it not using the credentials from the environment variables?

There is no ~/.aws/credentials file or any other place it could be getting credentials from that I am aware of.

Mikhail Janowski
  • 4,209
  • 7
  • 28
  • 40
  • Hi @Mikhail - have you checked if the environment variables are being inherited by the Docker container? Run Terraform in debug mode to see what it sees. https://www.terraform.io/docs/internals/debugging.html – KJH Nov 23 '18 at 15:46
  • 1
    Hi @KJH, yes the variables are there. I found the problem, it was that I had quotes around the environment variable values and for some reason they were being escaped and used as part of the access key. I just had to remove the quotes. – Mikhail Janowski Nov 25 '18 at 15:38
  • Great! You should write that as your answer, then you can accept it after 2 days. – KJH Nov 25 '18 at 17:19

1 Answers1

1

In my case, I had tried to set the ACCESS_KEY_ID and SECRET_ACCESS_KEY as environment variables, but it turned out that I had also a ~/.aws/credentials -file that was used instead, and the provisioning of my box had set default values there. It seems that ~/.aws/credentials file is used and environment variables are not.

PHZ.fi-Pharazon
  • 1,479
  • 14
  • 15