Terraform and AWS Assume Role

Question

Given existence of default in ~/.aws/credentials

[default]
aws_access_key_id=AFAKEYHFVDLCHVNOISYGV
aws_secret_access_key=RApidgudsphAFaK+e97dslvxchnv

and a named profile called backendRole in ~/.aws/config

[profile backendRole]
role_arn=arn:aws:iam::123456789101:role/backend
source_profile=default

using aws cli, I confirm that default can assume backendRole and has permissions to an s3 bucket and dynamodb table by running:

aws s3 ls s3://random-tf-state-bucket --profile backendRole

aws dynamodb describe-table --table-name random-tf-state-lock-table --profile backendRole --region us-east-2

The above commands do not return (AccessDenied) thus conforming access

Expectation:

According to terraform documentation/blog and given a main.tf file set up like the below:

    terraform {
      required_version = "1.0.4"
      required_providers {
        aws = {
          source  = "hashicorp/aws"
          version = "3.53.0"
        }
      }
    }

    terraform {
      backend "s3" {
      }
    }

    provider "aws" {
      region                  = "us-eat-1"
      profile                 = "default"
      shared_credentials_file = "~/.aws/credentials"

      assume_role {
        role_arn    ="arn:aws:iam::123456789101:role/backend"
      }

    }

and s3.backend.tfvars file:

bucket         = "random-tf-state-bucket"
key            = "terraform.tfstate"
region         = "us-east-2"
dynamodb_table = "random-tf-state-lock-table"
encrypt        = true

running terraform init -backend-config=s3.backend.tfvars should work.

Result:

Initializing the backend...
╷
│ Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.
│
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│   For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Question:

What step in this process am I missing?

Answer 1

Similar issue reported here was helpful in getting a solution.

Solution:

The key to resolving my error was realizing that Terraform allows you to use different profiles for configuring your S3 backend and CRUDing resources.

As this was the case in my Org, s3.backend.tfvars should have looked like:

bucket         = "random-tf-state-bucket"
key            = "terraform.tfstate"
region         = "us-east-2"
dynamodb_table = "random-tf-state-lock-table"
encrypt        = true
profile        = "s3BackendAccountReadWriteProfile"

While the provider block should have looked like:

provider "aws" {
  region                    = var.aws_region
  shared_credentials_file   = "~/.aws/credentials"
  profile                   = "envDependentCrudProfile"
  
}

So basically, I had to tell Terraform what profile to use when configuring our S3 backend (see updated s3.backend.tfvars) and also tell Terraform what profile to use when creating resources (see updated aws provider block).