3

I am running Terraform in AWS region us-west-2 (Oregon) in a private VPC. Because of this I am using VPC endpoints to expose the STS API and am overriding this endpoint in Terraform as follows:

provider "aws" {
  endpoints {
    sts = "https://sts.us-west-2.amazonaws.com/"
  }
}

Unfortunately this gives the following error:

provider.aws: error validating provider credentials: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

What could be causing this issue? Applying the same Terraform code without the endpoint override in a public VPC worked as expected.

Things I have checked:

  • The instance Terraform is running on is displaying the correct time (UTC)
  • AWS_REGION and AWS_DEFAULT_REGION env vars are set to us-west-2
  • The AWS_SECRET_ACCESS_KEY env var I am using to authenticate (together with AWS_ACCESS_KEY_ID) contains only alphanumeric characters

Versions:

  • terraform version: Terraform v0.11.13
  • terraform-provider-aws: v2.17.0
dippynark
  • 2,030
  • 9
  • 28
  • Turn on debug first `TF_LOG=debug terraform ....`, then make sure your environment in VPC can access internet. – BMW Jul 03 '19 at 01:44
  • The problem I was having only happened when I did not have internet access, hence using VPC endpoints – dippynark Jul 03 '19 at 08:13

1 Answers1

1

It seems like terraform is not sanitizing the URLs before sending them to AWS:

provider "aws" {
  endpoints {
    sts = "https://sts.us-west-2.amazonaws.com" # No trailing slash
  }
}

Just works fine for me, while with the trailing slash it results in your error

Christian Simon
  • 26
  • 1