[Bug]: Validation for assume_role_with_web_identity does not permit usage of documented environment variable AWS_WEB_IDENTITY_TOKEN_FILE

[derekheld]

Terraform Core Version

1.8.3

AWS Provider Version

5.48.0

Affected Resource(s)

Provider configuration

Expected Behavior

Provider is able to use the environment variable AWS_WEB_IDENTITY_TOKEN_FILE to obtain the path to a file containing a JWT token.

Actual Behavior

The provider does not use the environment variable as errors out due to a validation failure.

Relevant Error/Panic Output Snippet

│ Error: Invalid combination of arguments
│ 
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on provider.tf line 38, in provider "aws":
│   38:   assume_role_with_web_identity {
│ 
│ "assume_role_with_web_identity.0.web_identity_token_file": one of
│ `assume_role_with_web_identity.0.web_identity_token,assume_role_with_web_identity.0.web_identity_token_file`
│ must be specified
╵

Terraform Configuration Files

Example affected configuration:

provider "aws" {
  assume_role_with_web_identity {
    role_arn                = "arn:aws:iam::123456789012:role/ROLE_NAME"
    session_name            = "SESSION_NAME"
  }
}

Steps to Reproduce

1. Create a role in AWS with a trust policy allowing a web identity to assume the role
2. Obtain an identity token for the web identity permitted by the trust policy and store it in a file
3. Set the environment variable AWS_WEB_IDENTITY_TOKEN_FILE with the path to the file
4. Configure the aws provider to with the assume_role_with_web_identity block and provide the ARN for the role created earlier as role_arn inside that block
5. Attempt a terraform operation (such as a plan) that would authenticate to AWS

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

Per: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role-with-web-identity-configuration-reference
The environment variable AWS_WEB_IDENTITY_TOKEN_FILE can be set to provide the path to a file containing the identity token.

The validation code:

terraform-provider-aws/internal/provider/provider.go

Line 718 in fbad5d3

"web_identity_token": {

requires that EITHER web_identity_token or web_identity_token_file to be set as part of the provider configuration.

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[kpocius]

It's a duplicate of #27019 -- please see that issue for an explanation and a workaround.