Terraform Cloud / Enterprise - How to use AWS Assume Roles

Question

I would like to use AWS Assume Roles, with Terraform Cloud / Enterprise

In Terraform Open Source, you would typically just do an Assume Role, leveraging the .aws/Credential Profile on the CLI, which is the initial authentication, and performing the Assume Role:

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"
  }
}

The issue is, with Terraform Enterprise or Cloud, you cannot reference a profile, as the immutable infrastructure will not have that file in its directory.

Terraform Cloud/Enterprise needs to have an Access Key ID, and Secret Access Key, set as a variable, so its infrastructure can perform the Terraform RUN, via its Pipeline, and authenticate to what ever AWS Account you would like to provision within.

So the question is: How can I perform an AWS Assume Role, leveraging the Access Key ID, and Secret Access Key, of the AWS account with the "Action": "sts:AssumeRole", Policy?

I would think, the below would work, however Terraform is doing the initial authentication via the AWS Credential Profile creds, for the account which has the sts:AssumeRole policy

Can Terraform look at the access_key, and secret_key, to determine what AWS account to use, when trying to assume the role, rather than use the AWS Credential Profile?

provider "aws" {
  region                  = var.aws_region
  access_key              = var.access_key_id
  secret_key              = var.secret_access_key

    assume_role {
    role_arn     = "arn:aws:iam::566264069176:role/RemoteAdmin"
    #role_arn     = "arn:aws:iam::<awsaccount>:role/<rolename>" # Do a replace in "file_update_automation.ps1"
    session_name = "RemoteAdminRole"
  }
}

In order to allow Terraform Cloud/Enterprise to get new Assume Role Session Tokens, it would need to use the Access_key and Secret_key, to tell it what AWS Account has the sts:assume role, linking to the member AWS Account to be provisioned, and not an AWS Creds Profile

Thank you

Answer 1

This can be achive if you have a business plan enabled and implement self hosted terraform agents in you infrastructure.See video.

Answer 2

I used the exact same provider configuration minus the explicit adding of the acces keys. The access keys were added in the Terraform Cloud workspace as environment variables.

Answer 3

This is definitely possible with Terraform Enterprise (TFE) if your TFE infrastructure is also hosted in AWS and the instance profile is trusted by the role you are trying to assume.

For Terraform Cloud (TFC) it is a different story, today there is no way to create a trust between TFC and an IAM role, but we can leverage the AWS SDK's ability to pickup credentials from environment variables. You have 2 options:

1. Create an AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variable on the workspace and set them (remember to mark the secret access key as sensitive). The provider will pickup these in the env and work the same as on your local.
2. If all workspaces need to use the same access and secret keys, you can set the env variables on a variable set, which will apply to all workspaces.

Answer 4

It's now possible to use Dynamic Credentials via OpenID Connect provider. This is a relatively new feature they introduced earlier this year (February, 2023).

See the announcement and the official docs: Dynamic Credentials with the AWS Provider