stackoom
  简体   繁体   中英

Using AWS Terraform How to enable s3 backend authentication with assumed role MFA credentials

 原文  2021-01-21 13:58:22       amazon-web-services/ terraform/ multi-factor-authentication

Question

I provision AWS resources using Terraform using a python script that call terraform via shell

os.system('terraform apply')

The only way I found to enable terraform authentication, after enabling MFA and assuming a role, is to publish these environment variables:

os.system('export ASSUMED_ROLE="<>:botocore-session-123";
export AWS_ACCESS_KEY_ID="vfdgdsfg";
export AWS_SECRET_ACCESS_KEY="fgbdzf";
export AWS_SESSION_TOKEN="fsrfserfgs";
export AWS_SECURITY_TOKEN="fsrfserfgs"; terraform apply')

This worked OK until I configured s3 as backend, terraform action is performed but before the state can be stored in the bucket I get the standard (very confusing) exception:

Error: error configuring S3 Backend: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

I read this excellent answer explaining that for security and other reasons backend configuration is separate.

Since I don't want to add actual secret keys to source code (as suggested by the post) I tried adding a reference to the profile and when it failed I added the actual keys just to see if it would work, which it didn't.

My working theory is that behind the scenes terraform starts another process which doesn't access or inherit the credential e environment variables.

How do I use s3 backend, with an MFA assumed role?

1 answers

solution1
 0  2021-01-25 10:57:48

One must point the backend to the desired profile. In my case the same profile used for the provisioning itself.

Here is a minimal POC

terraform {

  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
  }

  backend "s3" {
    bucket = "unique-terraform-state-dev"
    key    = "test"
    region = "us-east-2"

    profile = "the_role_assumed_in_aws_credentials"
  }
}

provider "aws" {
  version = "~> 3.0"
  region  = var.region
}

resource "aws_s3_bucket" "s3_bucket" {

  bucket = var.bucket_name
}

I'm reminding that it's run by shell which has these environment variables:

os.system('export ASSUMED_ROLE="<>:botocore-session-123";
export AWS_ACCESS_KEY_ID="vfdgdsfg";
export AWS_SECRET_ACCESS_KEY="fgbdzf";
export AWS_SESSION_TOKEN="fsrfserfgs";
export AWS_SECURITY_TOKEN="fsrfserfgs"; terraform apply')

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Enable AWS S3 MFA delete with the console AWS S3 bucket MFA enable AWS S3 and Cyberduck and MFA AWS Providing access to assumed role from another account to access S3 in my account How to : terraform snowflake stage credentials and use AWS IAM role arn fetch aws credentials from assumed role with web identity How can I parse an assumed role's credentials in powershell and set them as a variable in a script? Unable to use terraform with AWS IAM role with MFA configuration How to create a trust policy for an assumed role in AWS? Role issue using AWS ElasticSearch with S3
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM