I've setup my Terraform vault provider as follows and configured the appropriate dev-role-iam role in vault with a suitable principal as shown and this is working through our build system with no issues retrieving secrets.
provider "vault" {
auth_login {
path = "auth/aws/login"
method = "aws"
parameters = {
role = "dev-role-iam"
}
}
}
When I came to run the same command on the command line for testing I am unable to get this to work, it returns the following error.
Error authenticating: failed to retrieve credentials from credential chain: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Initially I thought that I hadn't set the SSO login principal correctly in vault, but I've subsequently found out that this is an SDK error and the request isn't even reaching vault. In fact a network trace shows that vault is attempting to get credentials from the metadata endpoint on the 169.254.* address when I am obviously running this locally. One would expect the provider to pick up the AWS_PROFILE environment variable if set but there seems to be no documentation to indicate how to configure the provider for this though it seems that supporting profiles in vault has been around since 1.9.0, but the change simply shows a bump in the SDK. Does anybody know if this is possible and how?
