Reputation: 63
How can I provide to terraform different aws credentials to s3 backend and ec2 with role_arn usage
I want to store terraform state files in s3 bucket in one aws account and deploy instance changes in another aws account with role_arn usage.
This is my configuration:
providers.tf
terraform {
backend "s3" {
bucket = "bucket"
key = "tf/terraform.tfstate"
encrypt = "false"
region = "us-east-1"
profile = "s3"
role_arn = "arn:aws:iam::1111111111111:role/s3-role"
dynamodb_table = "name"
}
}
provider "aws" {
profile = "ec2"
region = "eu-north-1"
assume_role {
role_arn = "arn:aws:iam::2222222222222:role/ec2-role"
}
}
~/.aws/credentials
[s3-def]
aws_access_key_id = aaaaaaaaaa
aws_secret_access_key = sssssssss
[ec2-def]
aws_access_key_id = aaaaaaa
aws_secret_access_key = sssss
[s3]
role_arn = arn:aws:iam::1111111111:role/s3-role
region = us-east-1
source_profile = s3-def
[ec2]
role_arn = arn:aws:iam::22222222222:role/ec2-role
region = eu-north-1
source_profile = ec2-def
And when I try terraform init -migrate-state I get:
2022-08-03T17:23:21.334+0300 [INFO] Terraform version: 1.2.5
2022-08-03T17:23:21.334+0300 [INFO] Go runtime version: go1.18.1
2022-08-03T17:23:21.334+0300 [INFO] CLI args: []string{"terraform", "init", "-migrate-state"}
2022-08-03T17:23:21.334+0300 [INFO] Loading CLI configuration from /
2022-08-03T17:23:21.335+0300 [INFO] CLI command args: []string{"init", "-migrate-state"}
Initializing the backend...
2022-08-03T17:23:21.337+0300 [WARN] backend config has changed since last init
Backend configuration changed!!!!
Terraform has detected that the configuration specified for the backend
has changed. Terraform will now check for existing state in the backends.
2022-08-03T17:23:21.338+0300 [INFO] Attempting to use session-derived credentials
╷
│ Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.
│
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
I just dont understand what is this error and it even possible to provide two different set of credentials to s3 and ec2?
Upvotes: 6
Views: 2259
Answers (1)
Reputation: 152
Your problem appears to be that you can't authenticate to manage your remote state. Don't try to handle resources in another account until you get your basic terraform init working.
Once you have that working, use provider aliasing to access multiple accounts. https://developer.hashicorp.com/terraform/language/providers/configuration#alias-multiple-provider-configurations
Upvotes: 0
Related Questions
- How to make Terraform to read AWS Credentials file?
- One terraform apply to multiple AWS accounts
- Create multiple IAM roles with different policies in Terraform
- I am trying to create a service account using terraform i have 3 accounts dev,qa, production. I want to give access to s3 bucket in each environment
- Using the Terraform aws_iam_role datasource , get the statement from one AWS role and use it in creating another role in Terraform and append to it
- How to attach multiple IAM roles to instance profile on AWS?
- use different bucket for terraform s3 backend depending on which aws account is configured
- Terraform aws_instance specify login credentials
- Role Switching ( assume role ) with AWS and Terraform
- How to create roles in terraform