Forum Discussion

GaryT's avatar
GaryT
New Contributor
3 months ago

Terraform plugin troubleshooting

I am troubleshooting some credential issues with the 1Password CLI terraform plugin. The plugin is in beta, I use `op` version `2.31.1-beta.01` as the latest beta version with the plugin at the time.

Issue: the terraform output command does not get credentials.

Baseline execution, credentials defined in environment,

export AWS_ACCESS_KEY_ID="..."
export AWS_SECRET_ACCESS_KEY="..."
terraform init
# works
terraform apply
# works
terraform output
# works
unset AWS_ACCESS_KEY_ID="..."
unset AWS_SECRET_ACCESS_KEY="..."

Executing using the same credentials but stored in 1Password:

op plugin init terraform
# Choose key from 1Password
op plugin run -- terraform init
# works
op plugin run -- terraform apply
# works
op plugin run -- terraform output
# Error: No valid credential sources found

The expected behaviour is that terraform output also works.

Here's an example Terraform script that I used for testing:

terraform {
  required_version = ">= 1.9.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 6.0"
    }
  }

  backend "s3" {
    bucket         = "something-something-terraform-prod"
    key            = "test/terraform.tfstate"
    region         = "eu-central-1"
    use_lockfile   = true
    encrypt        = true
  }
}

provider "aws" {
  alias  = "bootstrap"
  region = "eu-central-1"
}

data "aws_caller_identity" "current" {
  provider = aws.bootstrap
}

provider "aws" {
  region = "eu-central-1"
  assume_role {
    role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/terraform-prod"
  }
}

data "aws_key_pair" "test" {
  key_name = "test-key-that-already-exists"
}

output key {
  value = data.aws_key_pair.test.key_name
}

Note that I use "assume-role" in the script, but this had no issues when using environment variables. I did NOT request a session token manually. I let terraform do the session management itself.

The AWS provider is a bit overcomplicated, but this is what I had at hand. Terraform output works when using environment variables, and does not work when using the 1Password plugin.

I ran terraform with trace level logs. I compared a working and a non-working log and the only difference is one line:

2025-09-19T21:14:32.935+0200 [TRACE] Meta.Backend: BackendOpts.Config not set, so using settings loaded from provider.tf:11,3-15

This makes me assume that the plugin does not hand over credentials to terraform when the "output" command is run. Since the state file can be stored on S3, credentials are essential for the output command.

For completeness sake, here's the non-working log (with some redactions):

2025-09-19T21:14:32.934+0200 [INFO]  Terraform version: 1.13.2
2025-09-19T21:14:32.934+0200 [DEBUG] using github.com/hashicorp/go-tfe v1.74.1
2025-09-19T21:14:32.934+0200 [DEBUG] using github.com/hashicorp/hcl/v2 v2.24.0
2025-09-19T21:14:32.934+0200 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2025-09-19T21:14:32.934+0200 [DEBUG] using github.com/zclconf/go-cty v1.16.3
2025-09-19T21:14:32.934+0200 [INFO]  Go runtime version: go1.24.5
2025-09-19T21:14:32.934+0200 [INFO]  CLI args: []string{"terraform", "output"}
2025-09-19T21:14:32.934+0200 [TRACE] Stdout is a terminal of width 144
2025-09-19T21:14:32.934+0200 [TRACE] Stderr is not a terminal
2025-09-19T21:14:32.934+0200 [TRACE] Stdin is a terminal
2025-09-19T21:14:32.934+0200 [DEBUG] Attempting to open CLI config file: /Users/user/.terraformrc
2025-09-19T21:14:32.934+0200 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2025-09-19T21:14:32.934+0200 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2025-09-19T21:14:32.934+0200 [DEBUG] ignoring non-existing provider search directory /Users/user/.terraform.d/plugins
2025-09-19T21:14:32.934+0200 [DEBUG] ignoring non-existing provider search directory /Users/user/Library/Application Support/io.terraform/plugins
2025-09-19T21:14:32.934+0200 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2025-09-19T21:14:32.934+0200 [INFO]  CLI command args: []string{"output"}
2025-09-19T21:14:32.935+0200 [TRACE] Meta.Backend: BackendOpts.Config not set, so using settings loaded from provider.tf:11,3-15
2025-09-19T21:14:32.936+0200 [TRACE] Meta.Backend: built configuration for "s3" backend with hash value 3136668788
2025-09-19T21:14:32.936+0200 [TRACE] Meta.Backend: working directory was previously initialized for "s3" backend
2025-09-19T21:14:32.936+0200 [TRACE] Meta.Backend: using already-initialized, unchanged "s3" backend configuration
2025-09-19T21:14:32.936+0200 [TRACE] backend-s3.aws-base: Resolving AWS configuration: tf_backend.operation=Configure tf_backend.req_id=8226a33c-d509-ad12-e84b-1a3c69daf0c1 tf_backend.s3.bucket=something-something-terraform-prod tf_backend.s3.path=test/terraform.tfstate
2025-09-19T21:14:32.936+0200 [DEBUG] backend-s3.aws-base: Resolving credentials provider: tf_backend.operation=Configure tf_backend.req_id=8226a33c-d509-ad12-e84b-1a3c69daf0c1 tf_backend.s3.bucket=something-something-terraform-prod tf_backend.s3.path=test/terraform.tfstate
2025-09-19T21:14:32.936+0200 [TRACE] backend-s3.aws-base: Building default HTTP client: tf_backend.operation=Configure tf_backend.req_id=8226a33c-d509-ad12-e84b-1a3c69daf0c1 tf_backend.s3.bucket=something-something-terraform-prod tf_backend.s3.path=test/terraform.tfstate
2025-09-19T21:14:32.936+0200 [DEBUG] backend-s3.aws-base: Loading configuration: tf_backend.operation=Configure tf_backend.req_id=8226a33c-d509-ad12-e84b-1a3c69daf0c1 tf_backend.s3.bucket=something-something-terraform-prod tf_backend.s3.path=test/terraform.tfstate
2025-09-19T21:14:32.936+0200 [DEBUG] backend-s3.aws-base: Retrieving credentials: tf_backend.operation=Configure tf_backend.req_id=8226a33c-d509-ad12-e84b-1a3c69daf0c1 tf_backend.s3.bucket=something-something-terraform-prod tf_backend.s3.path=test/terraform.tfstate
^[[31m╷^[[0m^[[0m
^[[31m│^[[0m ^[[0m^[[1m^[[31mError: ^[[0m^[[0m^[[1mNo valid credential sources found^[[0m

A few questions in random order:

  • Did anyone else experience similar behaviour?
  • Is there a ticketing system where I can open an issue?
  • Can anyone else reproduce the issue?
  • Is there a known solution?
  • Is there anything else I can do to provide information that could help solve this?
cli
macos
secrets management
troubleshooting

2 Replies

  • 1P_Phil's avatar
    1P_Phil
    Icon for Moderator rankModerator
    3 months ago

    Hi GaryT​ ,

    Thanks for both the long and short version :D

    To your question, yes of course, please send mail to mailto:support@1password.com and that will create a ticket and will move forward.

    While you do that, I'll share this conversation internally and maybe we can get some eyes on this sooner.

    Thanks,
    Phil

  • GaryT's avatar
    GaryT
    New Contributor
    3 months ago

    TL;DR:

    • The "op plugin terraform output" command does not get credentials from 1Password.
    • The Terraform state can be stored on cloud services that require authentication. => We need credentials for the "terraform output" command.
    • Is there a way to contact the developer to submit an issue about this?