Identity CenterユーザーでTerraformを使う場合に、以下のようにTerraformが参照しているキャッシュファイルの不一致となる事象が出てしまう。(terraform planコマンド実行時)
Error: SSOProviderInvalidToken: the SSO session has expired or is invalid
│ caused by: open /Users/akira_mba/.aws/sso/cache/edc32ef19620a3fb5c9976c9fa4846515bf78582.json: no such file or directory1. エラー内容の調査
1-1. TF_LOG=DEBUGでログを確認
追加の情報は得られず。
% TF_LOG=DEBUG terraform plan
2025-01-05T16:33:21.679+0900 [DEBUG] provider.terraform-provider-random_v3.6.3_x5: marking computed attribute that is null in the config as unknown: tf_attribute_path="AttributeName(\"numeric\")" tf_provider_addr=registry.terraform.io/hashicorp/random tf_rpc=PlanResourceChange @caller=github.com/hashicorp/terraform-plugin-framework@v1.11.0/internal/fwserver/server_planresourcechange.go:467 @module=sdk.framework tf_req_id=24784639-eb0e-3d30-21b6-64964b107b51 tf_resource_type=random_string timestamp="2025-01-05T16:33:21.679+0900"
2025-01-05T16:33:21.681+0900 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2025-01-05T16:33:21.681+0900 [INFO] provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/random/3.6.3/darwin_arm64/terraform-provider-random_v3.6.3_x5 id=7112
2025-01-05T16:33:21.681+0900 [DEBUG] provider: plugin exited
2025-01-05T16:33:21.759+0900 [WARN] ValidateProviderConfig from "provider[\"registry.terraform.io/hashicorp/aws\"]" changed the config value, but that value is unused
2025-01-05T16:33:21.759+0900 [INFO] provider.terraform-provider-aws_v3.76.1_x5: 2025/01/05 16:33:21 [INFO] Attempting to use session-derived credentials: timestamp="2025-01-05T16:33:21.759+0900"
2025-01-05T16:33:21.760+0900 [ERROR] vertex "provider[\"registry.terraform.io/hashicorp/aws\"]" error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
Please see https://registry.terraform.io/providers/hashicorp/aws
for more information about providing credentials.
Error: SSOProviderInvalidToken: the SSO session has expired or is invalid
caused by: open /Users/akira_mba/.aws/sso/cache/edc32ef19620a3fb5c9976c9fa4846515bf78582.json: no such file or directory
2025-01-05T16:33:21.760+0900 [WARN] Planning encountered errors, so plan is not applyable
2025-01-05T16:33:21.760+0900 [INFO] backend/local: plan operation completed
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform planned the following actions, but then encountered a problem:
# random_string.db_password will be created
+ resource "random_string" "db_password" {
+ id = (known after apply)
+ length = 16
+ lower = true
+ min_lower = 0
+ min_numeric = 0
+ min_special = 0
+ min_upper = 0
+ number = true
+ numeric = true
+ result = (known after apply)
+ special = false
+ upper = true
}
Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ Error: SSOProviderInvalidToken: the SSO session has expired or is invalid
│ caused by: open /Users/akira_mba/.aws/sso/cache/edc32ef19620a3fb5c9976c9fa4846515bf78582.json: no such file or directory
│
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 24, in provider "aws":
│ 24: provider "aws" {
│
╵
2025-01-05T16:33:21.765+0900 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2025-01-05T16:33:21.766+0900 [INFO] provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/3.76.1/darwin_arm64/terraform-provider-aws_v3.76.1_x5 id=7111
2025-01-05T16:33:21.766+0900 [DEBUG] provider: plugin exited
% 1-2. エラー内容の調査
- Terraform AWS Providerの認証エラー:
SSOProviderInvalidToken: the SSO session has expired or is invalidTerraformが使用しているSSOセッションが期限切れ、または無効であるため、認証に失敗している。
- 参照しているキャッシュファイルの不一致:
- Terraformが参照しているキャッシュファイル:
/Users/akira_mba/.aws/sso/cache/edc32ef19620a3fb5c9976c9fa4846515bf78582.json実際に存在するキャッシュファイル:3d0ad7ecb64b6a773e2352eb9997f67fc7888354.json4557fcb75f88c00ec62238a73ff49c2aacee47d7.json
- Terraformが参照しているキャッシュファイル:
2. いろいろ試してみる
2-1. AWS SSOセッションの再ログイン
SSOセッションが古いことが原因かと考え、キャッシュファイルを調べる。
ls -al ~/.aws/sso/cache(現状の確認)
% ls -al ~/.aws/sso/cache
total 16
drwxr-xr-x@ 4 akira_mba staff 128 1 5 16:27 .
drwxr-xr-x@ 3 akira_mba staff 96 1 5 16:27 ..
-rw-------@ 1 akira_mba staff 2099 1 5 16:27 3d0ad7e cb64b6a773e2352eb9997f67fc7888354.json
-rw-------@ 1 akira_mba staff 1722 1 5 16:27 4557fcb75f88c00ec62238a73ff49c2aacee47d7.json
%3d0ad7ecb64b6a773e2352eb9997f67fc7888354.json4557fcb75f88c00ec62238a73ff49c2aacee47d7.json
が確認できる。
aws sso logoutls -al ~/.aws/sso/cache
% aws sso logout
% ls -al ~/.aws/sso/cache
total 8
drwxr-xr-x@ 3 akira_mba staff 96 1 5 16:36 .
drwxr-xr-x@ 3 akira_mba staff 96 1 5 16:27 ..
-rw-------@ 1 akira_mba staff 1722 1 5 16:27 4557fcb75f88c00ec62238a73ff49c2aacee47d7.json
% SSOキャッシュの理解不足ですが、SSOログアウトで、3d0ad7ecb64b6a773e2352eb9997f67fc7888354.jsonが削除される。
aws sso login –sso-session tf-sso
SSOセッションの再ログインをする。ブラウザで許可する。
Amazon Web Services (AWS)
device.sso.us-east-1.amazonaws.com
% aws sso login --sso-session tf-sso
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-east-1.amazonaws.com/
Then enter the code:
XWGB-HSZJ
Successfully logged into Start URL: https://d-9067e05a18.awsapps.com/start
% ls -al ~/.aws/sso/cache
% ls -al ~/.aws/sso/cache
total 16
drwxr-xr-x@ 4 akira_mba staff 128 1 5 16:37 .
drwxr-xr-x@ 3 akira_mba staff 96 1 5 16:27 ..
-rw-------@ 1 akira_mba staff 2099 1 5 16:37 3d0ad7ecb64b6a773e2352eb9997f67fc7888354.json
-rw-------@ 1 akira_mba staff 1722 1 5 16:27 4557fcb75f88c00ec62238a73ff49c2aacee47d7.json
% 3d0ad7ecb64b6a773e2352eb9997f67fc7888354.jsonが生成されている
terraform plan
Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ Error: SSOProviderInvalidToken: the SSO session has expired or is invalid
│ caused by: open /Users/akira_mba/.aws/sso/cache/edc32ef19620a3fb5c9976c9fa4846515bf78582.json: no such file or directory
│
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 24, in provider "aws":
│ 24: provider "aws" {
│ 事象は改善せず、edc32ef19620a3fb5c9976c9fa4846515bf78582.jsonを参照しようとする。
2-2. その他いろいろと確認してみる
- .aws/configファイルのプロファイルの確認
- main.tfのプロバイダーブロック awsプロバイダーのバージョン3.26以上との情報も見かけたので、修正 →事象は改善しなかった
terraform {
required_version = ">=0.13"
required_providers {
aws = {
source = "hashicorp/aws"
#version = "~> 3.0"
version = "~> 3.26"
}
}
backend "s3" {
bucket = "terraform-test-trfstate"
key = "tf-test.tfstate"
region = "ap-northeast-1"
profile = "tf-sso_profile"
}
}Code language: PHP (php)3. (最終手段)キャッシュファイルの手動更新
- 前の手順で、sso login時に生成されるキャッシュファイルが判明したので、ダメもとでファイル名を更新してみた。
- リネームだとうまくいかないので、cpを実施
cp ~/.aws/sso/cache/3d0ad7ecb64b6a773e2352eb9997f67fc7888354.json ~/.aws/sso/cache/edc32ef19620a3fb5c9976c9fa4846515bf78582.json4. 確認
terraform planを実施してみると、認証通ることが確認できた。
% t plan
data.aws_prefix_list.s3_pl: Reading...
data.aws_iam_policy_document.ec2_assume_role: Reading...
data.aws_ami.app: Reading...
data.aws_iam_policy_document.ec2_assume_role: Read complete after 0s [id=1903849331]
data.aws_prefix_list.s3_pl: Read complete after 1s [id=pl-61a54008]
data.aws_ami.app: Read complete after 1s [id=ami-0dbca050974482176]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
<<省略>>
Plan: 48 to add, 0 to change, 0 to destroy.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
% 5. 課題
SSOの認証の仕組みが理解不足。 Identity Center関連の情報が少なく今回の事象はインターネットでも情報見つけられず、最終手段のキャッシュファイル名の更新で対応しました。