Wondering how to resolve no valid credential sources for Terraform? Our AWS Support team is here to lend a hand with your queries and issues.

How to resolve No valid credential sources for Terraform?

Typically, error will look as shown below while valid credentials are provided.

no valid credential sources for Terraform AWS Provider found

Usually, error occurs if AWS provider could not connect to EC2 metadata server for authentication due to missing hop http-put-response-hop-limit

Today, let us see the steps followed by our Support techs to resolve it:

• Either, downgrade to AWS provider release 3.74 or any previously used and working release.

• Modify affected EC2 instance metadata and increase http-put-response-hop-limit.

How to increase HttpPutResponseHopLimit 

Enabling IMDSv2 on an instance requires the use of the AWS CLI version 2.

The AWS CLI will also need to be configured to connect to the AWS account and region where the Terraform Enterprise instance/TF Cloud Agent is deployed.

Once AWS CLI version 2 has been configured, the only other piece of required information is the Terraform Enterprise INSTANCE_ID.

Getting the INSTANCE_ID is usually easiest from the EC2 Service in the AWS Console, but can also be done by reviewing the output from the aws ec2 describe-instances command.

$ aws ec2 describe-instances

With the INSTANCE_ID for the Terraform Enterprise, the AWS CLI modify-instance-metadata-options command can now be used to enable/require IMDSv2, and set the http-put-response-hop-limit option key to the desired value.

Note that $TFE_INSTANCE_ID will replace with the target INSTANCE_ID for the Terraform Enterprise Instance, and the value for http-put-response-hop-limit may change based on the instance’s environment.

$ aws ec2 modify-instance-metadata-options \
--instance-id $TFE_INSTANCE_ID \
--http-tokens required \
--http-endpoint enabled \
--http-put-response-hop-limit 2

The output will be similar to the following:

{
"InstanceId": "i-06e95fec9e1cc4ff4",
"InstanceMetadataOptions": {
"State": "pending",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 2,
"HttpEndpoint": "enabled"
}
}

These settings can be verified using the following command and the State should eventually transition to applied.

aws ec2 describe-instances –instance-id $TFE_INSTANCE_ID

The command will return output that can be scrolled through but will contain the following section showing the MetadataOptions and their settings.

MetadataOptions": {
"State": "applied",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 2,
"HttpEndpoint": "enabled"
}

After instance metadata HttpPutResponseHopLimit was increased runs should continue without errors.

Conclusion

To sum up, our Support Engineers demonstrated how to resolve No valid credential sources for Terraform with ease.