I have a Terraform GitLab runner I’ve provisioned in my kubernetes cluster via Helm to execute Terraform related CICD pipelines. The runner users a specific service account that has access to a provisioned IAM Role for the runner using IAM Role for Service Accounts. To ensure that the runner is able to obtain the correct role, in my pipeline, I’ve included aws sts get-caller-identity call in my job and the job successfully returns the role. However, when terraform plan -out=tfplan or terraform apply tfplan is executed, I get the following error:
Error: error configuring S3 Backend: no valid credential sources for
S3 Backend found. │ │ Please see
https://www.terraform.io/docs/language/settings/backends/s3.html │ for
more information about providing credentials. │ │ Error:
NoCredentialProviders: no valid providers in chain. Deprecated. │ For
verbose messaging see aws.Config.CredentialsChainVerboseErrors
This error comes up randomly. It does not occur consistently.
I’ve considered using "skip_credentials_validation" and "skip_requesting_account_id" as mentioned in this stackoverflow post, but I feel there should be a better way for terraform to detect if the credentials are present for this type of scenario without having to do this type of bypass or actually committing a credentials file into the repository with access key and secret access key to assume a role.
Does anyone know how this can be done such that terraform would pick up the role consistently without hardcoding credentials?
2
Answers
I've noticed that after upgrading the values.yml file for the GitLab Runner and upgrading the runner to be on the current version (15.2.1) combined with IAM Role for Service Accounts enabled terraform init and plan to run as expected.
Keep in mind I've also updated GitLab server to v15.3 as well such that it is generally in sync with the runner version.
Did you try explicitly initialize terraform with your backend config?