Reputation: 263
How to configure aws sso for terraform?
I have been using aws as cloud service and terraform as IaC. It's very annoying to copy paste the credentials frequently. Is there any solution available for that or any work around other to use aws sso?
Upvotes: 8
Views: 10009
Answers (3)
Reputation: 1019
In October 2024 I found a way to do this. This comment was a big help: https://github.com/hashicorp/terraform-provider-aws/issues/2420#issuecomment-1899137746.
Tested requirements (different versions may work but YMMV):
- Terraform Version: v1.5.7 (current newest MPL license compatible version)
- Terraform AWS Provider: v5.70.0
- AWS Cli: aws-cli/2.18.0 Python/3.12.7 Darwin/21.6.0 source/arm64
Edit your ~/.aws/config to have these settings (I use a company name of "acme" in the example).
[sso-session acmesso]
sso_region = us-east-1
sso_start_url = https://acmesso.awsapps.com/start
sso_registration_scopes = sso:account:access
[profile acmesso_sso]
sso_session = acmesso
sso_account_id = 1234567890
sso_region = us-east-1
sso_role_name = SsoAccountAdministrator
region = us-east-1
output = json
[profile acmesso]
credential_process = aws configure export-credentials --profile acmesso_sso
Next you authenticate to the acmesso_sso profile with:
aws sso login --profile acmesso_sso
You will need to approve a code in your browser, etc. and click a few buttons.
Afterwards you can verify it worked with these commands which should return the same result:
aws sts get-caller-identity --profile acmesso_sso
aws sts get-caller-identity --profile acmesso
Your terraform provider and backend should look something like this (Note that we use the profile that uses the credential_process setting!):
variable "aws_profile" {
type = string
default = "acmesso"
}
variable "aws_region" {
type = string
default = "us-east-1"
}
provider "aws" {
profile = var.aws_profile
region = var.aws_region
}
terraform {
backend "s3" {
bucket = "my-tf-bucket"
key = "terraform-state/acmesso.tfstate"
profile = "acmesso"
region = "us-east-1"
}
}
This is kludgy but the terraform team explains their stance here on keeping terraform "non-interactive": https://github.com/hashicorp/terraform-provider-aws/issues/2420#issuecomment-1449084088
Their statement "We're going to add the external credentials process to the provider for parity with the credentials and configuration files." is why this sort of delegated approach now works.
Upvotes: 1
Reputation: 118
It seems that this is possible without external plugins now, see here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#shared-configuration-and-credentials-files
Example:
provider "aws" {
profile = "customprofile"
}
Upvotes: 4
Reputation: 885
Premise
It was my understanding that there is a current issue between AWS SSO (authentication v2) and terraform; that only V1 authentication (access key and secret key) is reliably accepted.
For example, this open PR or this issue or this ongoing referenced merge
Work Around
There are a couple of projects that circumvent this issue by generating V1 creds from AWS SSO.
The one I use is a PyPi library called yawsso.
Try this:
pip3 install yawsso
yawsso login # this will authenticate - you no longer need to run 'aws sso login'
Note
Just make sure you use the right profile with export AWS_PROFILE=foo where "foo" would be in ~/.aws/config as [profile foo]
Bonus
yawsso will log you in on all profiles listed in the AWS config file, so you don't need to log in one-by-one into all profiles required at work
Upvotes: 7
Related Questions
- AWS Terraform: │ Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity:
- How to create an SSH key in Terraform?
- How to Terraform Create and Validate AWS Certificate
- Allocate AWS SSO Permission Set to Groups in Accounts
- Is it possible to create an SSO user using terraform - AWS
- Using terraform in an AWS SSO+Okta environment
- AWS SSO + Identity Policy creation
- Terraform plan using terraform cloud back end AWS credential error
- How to fix : VALIDATION_ERROR: You must also specify a ServiceAccessSecurityGroup Terraform
- Set aws access key and secret key with secretsmanager Terraform