stackoom
  简体   繁体   中英

Terraform and AWS secrets

 原文  2022-12-07 08:39:52       amazon-web-services/ terraform/ aws-secrets-manager

Question

I must be missing something in how AWS secrets can be accessed through Terraform. Here is the scenario I am struggling with:

  • I create an IAM user named "infra_user", create ID and secret access key for the user, download the values in plain txt.

  • "infra_user" will be used to authenticate via terraform to provision resources, lets say an S3 and an EC2 instance.

  • To protect the ID and secret key of "infra_user", I store them in AWS secrets manager.

  • In order to authenticate with "infra_user" in my terraform script, I will need to retrieve the secrets via the following block:

     data "aws_secretsmanager_secret" "arn" { arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456" }

But, to even use the data block in my script and retrieve the secrets wouldn't I need to authenticate to AWS in some other way in my provider block before I declare any resources? If I create another user, say "tf_user", to just retrieve the secrets where would I store the access key for "tf_user"? How do I avoid this circular authentication loop?

1 answers

solution1
 1  2022-12-07 15:59:03

The Terraform AWS provider documentation has a section on Authentication and Configuration and lists an order of precedence for how the provider discovers which credentials to use. You can choose the method that makes the most sense for your use case.

For example, one (insecure) method would be to set the credentials directly in the provider:

provider "aws" {
  region     = "us-west-2"
  access_key = "my-access-key"
  secret_key = "my-secret-key"
}

Or, you could set the environment variables in your shell:

export AWS_ACCESS_KEY_ID="my-access-key"
export AWS_SECRET_ACCESS_KEY="my-secret-key"
export AWS_DEFAULT_REGION="us-west-2"

now your provider block simplifies to:

provider "aws" {}

when you run terraform commands it will automatically use the credentials in your environment.

Or as yet another alternative, you can store the credentials in a profile configuration file and choose which profile to use by setting the AWS_PROFILE environment variable.

Authentication is somewhat more complex and configurable than it seems at first glance, so I'd encourage you to read the documentation.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Terraform aws secrets - nested object variable upload file into AWS Secrets Manager using Terraform Is it possible to set up a multiuser secret rotation in AWS secrets manager with terraform? Create secrets in AWS Secrets Manager Receiving error in AWS Secrets manager awscli for: Version "AWSCURRENT" not found when deployed via Terraform Terraform deletes google secrets version Parsing secrets from AWS secrets manager using AWS cli aws secrets caching describeSecrets error Terraform AWS not accessing localstack right way to implement secrets caching in aws secrets manager
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM