S3 remote_state with assume_role_with_web_identity fails #5148
Description
Describe the bug
S3 remote_state block with assume_role_with_web_identity configured is failing while it's generate counterpart is working file.
Reproducing bugs
We are currently trying to switch from IRSA authentication to OIDC.
I modified remote_state block following the documentation but terragrunt is failing to authenticate.
Steps To Reproduce
Failing configuration
remote_state {
backend = "s3"
generate = {
path = "backend.tf"
if_exists = "overwrite"
}
config = {
bucket = "xxx"
key = "xxx"
region = "xxx"
encrypt = true
use_lockfile = true
assume_role_with_web_identity = {
role_arn = "arn:aws:iam::${local.aws_account_id}:role/terragrunt"
web_identity_token_file = "/tmp/web-identity-token"
}
}
}Error
ERROR error checking access to S3 bucket xxx: Forbidden: Forbidden
status code: 403
Working configuration
generate "backend" {
path = "backend.tf"
if_exists = "overwrite"
contents = <<-EOF
terraform {
backend "s3" {
bucket = "xxx"
key = "xxx"
region = "xxx"
encrypt = true
use_lockfile = true
assume_role_with_web_identity = {
role_arn = "arn:aws:iam::${local.aws_account_id}:role/terragrunt"
web_identity_token_file = "/tmp/web-identity-token"
}
}
}
EOF
}Also IRSA configuration for remote_state is working fine
remote_state {
backend = "s3"
generate = {
path = "backend.tf"
if_exists = "overwrite"
}
config = {
bucket = "xxx"
key = "xxx"
region = "xxx"
encrypt = true
use_lockfile = true
assume_role = {
role_arn = "arn:aws:iam::${local.aws_account_id}:role/terragrunt"
}
}
}Expected behavior
remote_state block should work same way as it's generate counterpart.
Versions
- Terragrunt version: 0.84.1
- OpenTofu/Terraform version: 1.10.0
Additional context
Was this issue solved in newer versions of terragrunt?
We did not update terragrunt version yet because our automation is using arguments removed in 0.85.0