### Terraform Version ```shell Terraform v1.5.5 on darwin_arm64 ``` ### Terraform Configuration Files ```terraform terraform { required_version = "~> 1.5" backend "s3" { region = "us-east-1" bucket = "my-state-bucket" key = "path/to/terraform.tfstate" encrypt = true dynamodb_table = "terraform-lock-table" profile = "local-backend" shared_credentials_file = "/path/to/local/credentials" } required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } } ``` ```bash # ~/.aws/credentials [global-backend] credential_process = /usr/local/bin/custom-credentials-process ``` ```bash # /path/to/local/credentials [local-backend] credential_process = /usr/local/bin/custom-credentials-process ``` ### Debug Output ``` 2023-09-14T10:44:35.140-0600 [INFO] Terraform version: 1.5.5 2023-09-14T10:44:35.140-0600 [DEBUG] using github.com/hashicorp/go-tfe v1.26.0 2023-09-14T10:44:35.140-0600 [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2 2023-09-14T10:44:35.140-0600 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.0 2023-09-14T10:44:35.140-0600 [DEBUG] using github.com/zclconf/go-cty v1.12.2 2023-09-14T10:44:35.140-0600 [INFO] Go runtime version: go1.20.7 2023-09-14T10:44:35.140-0600 [INFO] CLI args: []string{"/opt/homebrew/Cellar/tfenv/3.0.0/versions/1.5.5/terraform", "init"} 2023-09-14T10:44:35.140-0600 [TRACE] Stdout is a terminal of width 320 2023-09-14T10:44:35.140-0600 [TRACE] Stderr is a terminal of width 320 2023-09-14T10:44:35.140-0600 [TRACE] Stdin is a terminal 2023-09-14T10:44:35.140-0600 [DEBUG] Attempting to open CLI config file: /Users/jcarlson/.terraformrc 2023-09-14T10:44:35.140-0600 [INFO] Loading CLI configuration from /Users/jcarlson/.terraformrc 2023-09-14T10:44:35.141-0600 [INFO] Loading CLI configuration from /Users/jcarlson/.terraform.d/credentials.tfrc.json 2023-09-14T10:44:35.142-0600 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins 2023-09-14T10:44:35.142-0600 [DEBUG] ignoring non-existing provider search directory /Users/jcarlson/.terraform.d/plugins 2023-09-14T10:44:35.142-0600 [DEBUG] ignoring non-existing provider search directory /Users/jcarlson/Library/Application Support/io.terraform/plugins 2023-09-14T10:44:35.142-0600 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins 2023-09-14T10:44:35.143-0600 [INFO] CLI command args: []string{"init"} Initializing the backend... 2023-09-14T10:44:35.145-0600 [TRACE] Meta.Backend: built configuration for "s3" backend with hash value 1229001865 2023-09-14T10:44:35.145-0600 [TRACE] Meta.Backend: backend has not previously been initialized in this working directory 2023-09-14T10:44:35.145-0600 [DEBUG] New state was assigned lineage "9a942f48-8f96-d3af-74bc-4cd559c01f43" 2023-09-14T10:44:35.145-0600 [TRACE] Meta.Backend: moving from default local state only to "s3" backend 2023-09-14T10:44:35.145-0600 [DEBUG] checking for provisioner in "." 2023-09-14T10:44:35.145-0600 [DEBUG] checking for provisioner in "/opt/homebrew/Cellar/tfenv/3.0.0/versions/1.5.5" 2023-09-14T10:44:35.145-0600 [TRACE] backend/local: state manager for workspace "default" will: - read initial snapshot from terraform.tfstate - write new snapshots to terraform.tfstate - create any backup at terraform.tfstate.backup 2023-09-14T10:44:35.145-0600 [TRACE] statemgr.Filesystem: reading initial snapshot from terraform.tfstate 2023-09-14T10:44:35.145-0600 [TRACE] statemgr.Filesystem: snapshot file has nil snapshot, but that's okay 2023-09-14T10:44:35.145-0600 [TRACE] statemgr.Filesystem: read nil snapshot 2023-09-14T10:44:35.145-0600 [TRACE] Meta.Backend: ignoring local "default" workspace because its state is empty 2023-09-14T10:44:35.147-0600 [INFO] Attempting to use session-derived credentials ╷ │ Error: error configuring S3 Backend: no valid credential sources for S3 Backend found. │ │ Please see https://www.terraform.io/docs/language/settings/backends/s3.html │ for more information about providing credentials. │ │ Error: NoCredentialProviders: no valid providers in chain. Deprecated. │ For verbose messaging see aws.Config.CredentialsChainVerboseErrors │ │ │ ╵ ``` ### Expected Behavior Terraform should respect the `credential_process` specified in `/path/to/local/credentials` to generate AWS credentials on-demand. ### Actual Behavior Terraform is unable to locate AWS credentials. ### Steps to Reproduce 1. `terraform init` ### Additional Context According to the [AWS documentation](https://docs.aws.amazon.com/sdkref/latest/guide/feature-process-credentials.html), the `credential_process` configuration option is supported only in a shared `config` file and not a shared `credentials` file. However, in the sample code above, replacing ``` profile = "local-backend" shared_credentials_file = "/path/to/local/credentials" ``` with ``` profile = "global-backend" ``` does work as expected. The behavior here is inconsistent. When using a global shared credentials file at the default location `~/.aws/credentials` the `credential_process` option works as expected, but when using a custom shared credentials file, such as `/path/to/custom/credentials`, it does not work. Ideally, the `s3` backend configuration block would support `shared_config_files` and `shared_credential_files` in the same manner that the `aws` provider [supports both](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#argument-reference). ### References _No response_