PR 128 breaks existing workflow

[ryan-dyer-sp]

Asking that #128 be reverted as this change has broken our existing authentication workflow.

We use a provider.tf that has both profile and assume_role

provider "aws" {
  region  = var.region
  profile = var.profile
  assume_role {
    role_arn = var.aws_role
  }
}

We execute terraform via two different mechanisms (local and CI/atlantis). For local users they have all of the profiles defined. However for CI, we do not have profiles defined and the "auth" workflow falls through to the assume_role.

Thanks,
Ryan

[lorengordon]

Seconding. We use the exact same setup.

[ryan-dyer-sp]

@gdavison ^^

[gdavison]

Hi @ryan-dyer-sp, thanks for raising this issue. This is the expected behaviour for the AWS Provider, starting with version 4. The Version 4 Upgrade Guide has more details on the changes in version 4.

By not pre-validating the profile, we can see problems such as hashicorp/terraform-provider-aws#23261. The AWS CLI also fails if an invalid --profile is passed to the command.

If you want to use either a profile or assume a role, you have a couple options:

• Set var.profile to an empty string when you want to assume the role
• Remove the profile setting from the provider configuration and set the profile either using the environment variable AWS_PROFILE (this is what I use day-to-day) or setting -var="profile=<your profile name>" on the command line