Terraform "No valid credential sources found" (AWS) in CI
The AWS provider could not find any credentials to authenticate with. The runner has no role assumed, no environment keys, and no profile - so every API call fails before doing real work.
What this error means
plan or apply fails immediately with "No valid credential sources found for AWS Provider" or a credential-refresh error. It is environment-specific - it works locally with your profile but fails on a bare runner.
Error: No valid credential sources found for AWS Provider.
Please see https://registry.terraform.io/providers/hashicorp/aws for more
information about providing credentials.
Error: failed to refresh cached credentials, no EC2 IMDS role foundCommon causes
No credentials configured on the runner
A hosted runner has no AWS profile or instance role by default. Without OIDC role assumption or injected keys, the provider has nothing to use.
OIDC role assumption not wired up
If you rely on GitHub OIDC but the configure-aws-credentials step or id-token: write permission is missing, no role is assumed.
Expired or unset access keys
Static keys that expired, or env vars that were never set in the job, leave the provider unauthenticated.
How to fix it
Assume a role via OIDC (recommended)
Use short-lived credentials from GitHub OIDC - no long-lived secrets to manage.
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/ci-terraform
aws-region: us-east-1Confirm credentials are in effect
Add an early identity check so a credential gap fails fast and clearly.
aws sts get-caller-identityHow to prevent it
- Use OIDC role assumption instead of long-lived AWS keys in CI.
- Add
aws sts get-caller-identityas an early sanity check. - Set
id-token: writeandaws-regionso the credential step actually runs.