Skip to content

Latest commit

 

History

History
56 lines (37 loc) · 3.26 KB

TerraformAWSAuthentication.md

File metadata and controls

56 lines (37 loc) · 3.26 KB

Authenticating Terraform to Access AWS

In order to create and destroy AWS resources on your behalf, Terraform needs credentials that enable it to authenticate to AWS. Two types of credentials are acceptable:

  • Credentials that are associated with an AWS IAM user account, or
  • Credentials that are generated by assuming an IAM role that has sufficient permissions to perform all the actions defined in the Terraform manifest.

You will need either an AWS IAM user account or an AWS IAM role that has at a minimum the permissions listed in this policy.

You can either use static credentials (including temporary credentials with a session token) or a profile with a credentials file.

You can pass AWS credentials to Terraform by using either AWS environment variables or TF_VAR_name environment variables.

Follow these links for more information on how to create and retrieve AWS credentials to configure Terraform access to AWS:

Using AWS Static Credentials

You can pass values to Terraform variables with these AWS environment variables:

AWS_ACCESS_KEY_ID=<your_aws_access_key_id>
AWS_SECRET_ACCESS_KEY=<your_aws_secret_access_key>
AWS_SESSION_TOKEN=<your_aws_session_token>

or with these TF_VAR_name environment variables:

TF_VAR_aws_access_key_id=<your_aws_access_key_id>
TF_VAR_aws_secret_access_key=<your_aws_secret_access_key>
TF_VAR_aws_session_token=<your_aws_session_token>

NOTE AWS_SESSION_TOKEN is optional and is only required when you are using temporary AWS credentials. For example, you might generate temporary AWS credentials when assuming an IAM role. See the AWS documentation on environment variables for more information.

See AWS IAM roles for more information about temporary credentials when using an assumed role. In order for an IAM user to be able to assume a role, a trust relationship for that user must be created within the role. For more information, see granting AssumeRole permission for a role for more information.

Using AWS Profile with Credentials File

You can pass values to Terraform variables with these AWS environment variables:

AWS_PROFILE=<your_aws_profile_name>
AWS_SHARED_CREDENTIALS_FILE=~/.aws/credentials

or with these TF_VAR_name environment variables:

TF_VAR_aws_profile=<your_aws_profile_name>
TF_VAR_aws_shared_credentials_file=~/.aws/credentials

You can find more information in the Terraform AWS Provider documentation.