Reputation: 331
How do I configure AWS MFA for Terraform?
I want to perform MFA for Terraform so it's expected to ask the 6-digit token from my virtual MFA device for every terraform [command]. After reading the documentation:
cli-roles
terraform mfa
I created a role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[ACCOUNT_ID]:user/testuser"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
This user is forced to use MFA by default and I have a configured virtual MFA device for him.
~/.aws/credentials:
[default]
...
[terraform_role]
role_arn = arn:aws:iam::[ACCOUNT_ID]:role/terraform-test-role
source_profile = default
mfa_serial = arn:aws:iam::[ACCOUNT_ID]:mfa/testuser
in my Terraform environment I placed the following:
provider "aws" {
profile = "terraform_role"
}
But when i run terraform plan it throws me an error:
Error refreshing state: 1 error(s) occurred:
* provider.aws: No valid credential sources found for AWS Provider.
Please see https://terraform.io/docs/providers/aws/index.html for more information on
providing credentials for the AWS Provider
Upvotes: 8
Views: 16301
Answers (3)
Reputation: 28900
I had this issue when trying to set up MFA enforcement using Terraform.
This was how I did it:
I had to use the enforce-mfa terraform module:
data aws_caller_identity current {}
resource aws_iam_group support {
name = "support"
}
module enforce_mfa {
source = "terraform-module/enforce-mfa/aws"
version = "~> 1.0"
policy_name = "managed-mfa-enforce"
account_id = data.aws_caller_identity.current.id
groups = [aws_iam_group.support.name]
manage_own_signing_certificates = true
manage_own_ssh_public_keys = true
manage_own_git_credentials = true
}
Upvotes: 0
Reputation: 21
Unfortunately, the assume_role statement by itself is not a working solution. You need to use a MFA authentication wrapper aws-runas that eases the process not only of assuming the role but providing support for the mfa_serial clause on the .aws/credentials file.
In short, there are 3 steps:
- You'll need to have your
.aws/credentialsfile as you have. - Install aws-runas
- Run the apply:
aws-runas [your_profile] - terraform apply
Upvotes: 1
Reputation: 331
The solution is to specify an assume_role statement:
provider "aws" {
profile = "default"
assume_role {
role_arn = "arn:aws:iam::[ACCOUNT_ID]:role/terraform-test-role"
}
}
Upvotes: 2
Related Questions
- How to configure aws sso for terraform?
- Terraform AWS credentials file not found
- Azure: How to setup multi factor authentication policy in Azure using Terraform?
- Terraform unable to assume roles with MFA enabled
- Unable to use terraform with AWS IAM role with MFA configuration
- How to create AWS IAM service account with access and secret keys using terraform
- Terraform aws_instance specify login credentials
- How to connect CircleCI and AWS?
- Terraform not accepting AWS credentials from vars/tfvars files
- Terraform can bypass MFA constraint on AWS IAM