Skip to content

fix: Scope plan storage AWS credentials to prevent Atmos auth interference #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
milldr wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Scope plan storage AWS credentials to prevent Atmos auth interference #93

milldr wants to merge 1 commit into from

Conversation

@milldr
Copy link
Member

@milldr milldr commented Dec 4, 2025

What

Use output-credentials: true mode for plan storage credential configuration and pass credentials explicitly via step-level env: vars to the plan storage steps.

Why

When using Atmos auth for Terraform operations (instead of the terraform-apply-role setting), the AWS credentials configured for plan storage (S3/DynamoDB access) were persisting in environment variables and taking precedence over Atmos' authentication mechanism.

This caused authentication failures when:

  1. terraform-apply-role was not configured in gitops settings
  2. Atmos auth was expected to handle role assumption for the target account
  3. Plan storage credentials remained in AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN

Changes

  • Add output-credentials: true to plan storage credential configuration step
  • Add step id plan-storage-credentials for referencing credential outputs
  • Pass AWS credentials explicitly via env: to "Retrieve Plan" and "Retrieve Lockfile" steps
  • Rename second credential configuration step to "Configure Apply AWS Credentials" for clarity

@milldr milldr requested review from a team as code owners December 4, 2025 22:04
@milldr milldr force-pushed the fix/clear-aws-credentials-before-atmos branch from e08101f to 8bafd3f Compare December 4, 2025 22:18
jamengual
jamengual reviewed Dec 5, 2025
View reviewed changes
action.yml
Comment on lines +291 to +292
output-credentials: true
output-env-credentials: false
Copy link
Contributor

@jamengual jamengual Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will this output the ENV var values to the console?

Copy link
Member Author

@milldr milldr Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it won't expose the credential values. The aws-actions/configure-aws-credentials action automatically masks the credential outputs, so they appear as *** if they ever show up in output.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamengual jamengual jamengual left review comments

@joe-niland joe-niland Awaiting requested review from joe-niland joe-niland is a code owner automatically assigned from cloudposse/contributors

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@milldr @jamengual