Terraform: Document full AWS credential chain for S3 module sources#2322
Open
kevinburkesegment wants to merge 2 commits intohashicorp:mainfrom
Open
Terraform: Document full AWS credential chain for S3 module sources#2322kevinburkesegment wants to merge 2 commits intohashicorp:mainfrom
kevinburkesegment wants to merge 2 commits intohashicorp:mainfrom
Conversation
|
|
Contributor
Vercel Previews Deployed
|
Contributor
trujillo-adam
requested changes
Apr 28, 2026
Contributor
trujillo-adam
left a comment
trujillo-adam
left a comment
There was a problem hiding this comment.
Thanks for making this update. I added a few suggestions for consistency with the style guide.
I only commented on the v1.1 version of the file until we've settled on the final text.
I already mentioned this on the v1.12 file, but this information is documented in the following section for v1.12 and newer:
https://developer.hashicorp.com/terraform/language/block/module#s3-bucket
You can leave it for the education team, but feel free to remove /terraform/language/modules/sources for newer versions. The site already redirects, so the should be no impact.
Comment on lines
+402
to
+408
| Terraform uses the [default AWS credential provider chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviderChain) | ||
| from the AWS SDK to locate credentials. This includes, in order of precedence: | ||
| environment variables (`AWS_ACCESS_KEY_ID`/`AWS_SECRET_ACCESS_KEY`, or | ||
| `AWS_PROFILE` to select a named profile), the shared credentials file at | ||
| `~/.aws/credentials`, the shared config file at `~/.aws/config` (including SSO | ||
| and assume-role configuration), and container or EC2 instance profile | ||
| credentials (IMDS) when running on AWS compute. |
Contributor
There was a problem hiding this comment.
Suggested change
| Terraform uses the [default AWS credential provider chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviderChain) | |
| from the AWS SDK to locate credentials. This includes, in order of precedence: | |
| environment variables (`AWS_ACCESS_KEY_ID`/`AWS_SECRET_ACCESS_KEY`, or | |
| `AWS_PROFILE` to select a named profile), the shared credentials file at | |
| `~/.aws/credentials`, the shared config file at `~/.aws/config` (including SSO | |
| and assume-role configuration), and container or EC2 instance profile | |
| credentials (IMDS) when running on AWS compute. | |
| Terraform uses the [default AWS credential provider chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviderChain) | |
| from the AWS SDK to locate credentials. In order of precedence, this includes: | |
| 1. Either `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, or | |
| `AWS_PROFILE` environment variables. The `AWS_PROFILE` environment variable selects a named profile. | |
| 1. Shared credentials file at`~/.aws/credentials`. | |
| 1. Shared configuration file at `~/.aws/config`, including SSO and assume-role configuration. | |
| 1. Container or EC2 instance profile credentials (IMDS) when running on AWS compute. |
Numbered list is probably the best format.
Comment on lines
+413
to
+416
| - `aws_profile` — use a named profile from the shared config, for example | ||
| `s3::https://bucket.s3.amazonaws.com/module.zip?aws_profile=dev`. | ||
| - `aws_access_key_id`, `aws_access_key_secret`, and `aws_access_token` — pass | ||
| static credentials inline. Avoid committing these to version control. |
Contributor
There was a problem hiding this comment.
Suggested change
| - `aws_profile` — use a named profile from the shared config, for example | |
| `s3::https://bucket.s3.amazonaws.com/module.zip?aws_profile=dev`. | |
| - `aws_access_key_id`, `aws_access_key_secret`, and `aws_access_token` — pass | |
| static credentials inline. Avoid committing these to version control. | |
| - `aws_profile`: Specifies a named profile from the shared configuration, for example | |
| `s3::https://bucket.s3.amazonaws.com/module.zip?aws_profile=dev`. | |
| - `aws_access_key_id`, `aws_access_key_secret`, and `aws_access_token`: Pass | |
| static credentials inline. Do not commit these to version control. |
| - The default profile in the `.aws/credentials` file in your home directory. | ||
| - If running on an EC2 instance, temporary credentials associated with the | ||
| instance's IAM Instance Profile. | ||
| Terraform uses the [default AWS credential provider chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviderChain) |
Contributor
There was a problem hiding this comment.
I thought we had removed this page, but since v1.12, this information has lived at https://developer.hashicorp.com/terraform/language/block/module#s3-bucket.
Can you copy the changes to the files for v1.12 and newer? The site should already redirect to the main instructions for using modules.
The module sources page listed only AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, the default shared-credentials profile, and EC2 instance profiles. go-getter has used the AWS SDK default credential chain since v1.5.0 (2020), which Terraform has shipped since v1.0.0. That chain also honors AWS_PROFILE, shared config (SSO, assume-role, web-identity), and container credentials. Replace the list with a pointer to the AWS SDK default credential provider chain and document the aws_profile and static-credential URL query parameters supported by go-getter. Applied to every versioned copy (v1.1.x-v1.15.x rc). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Apply trujillo-adam's suggestions from PR hashicorp#2322: - Convert the credential chain paragraph into a numbered list. - Switch the URL query parameter bullets from em-dashes to colon-prefixed sentences. - Copy the updated content to content/terraform/v1.12.x+/docs/language/block/ module.mdx, where the S3 instructions live in newer versions. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
kevinburkesegment
force-pushed
the
update-s3-module-source-auth-docs
branch
from
28ee35a to
35ee28b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The module sources page listed only AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, the default shared-credentials profile, and EC2 instance profiles. go-getter has used the AWS SDK default credential chain since v1.5.0 (2020), which Terraform has shipped since v1.0.0. That chain also honors AWS_PROFILE, shared config (SSO, assume-role, web-identity), and container credentials.
Replace the list with a pointer to the AWS SDK default credential provider chain and document the aws_profile and static-credential URL query parameters supported by go-getter. Applied to every versioned copy (v1.1.x-v1.15.x rc).
Please go to the
Previewtab and select the appropriate template:Terraform