I had been using credential files in my terraform projects. Recently I switch to use AWS SSO and providing the profile name in the code. At runtime (plan, apply, etc.) terraform will use the token from the given profile. If AWS returns expired, the command will stop with authentication errors. Simply authenticate by cli via run ‘aws sso login –profile mylab-dev’.
The Setup
Configure AWS SSO for each account-profile. Use the following “code” as a guide:
aws sso configure
SSO start URL [None]: https://yourawssso.awsapps.com/start#
SSO Region [None]: us-east-1
There are 4 AWS accounts available: 000000000000
There are 2 roles available to you: AWSAdministratorAccess
CLI default client Region [us-east-1]: Return
CLI default output format [None]: Return
CLI profile name [AWSAdministratorAccess-000000000000]: mylab-dev
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile mylab-devOnce you have the profile(s) created. Login with AWS SSO:
aws sso login Your are presented with the AWS SSO authentication (a code is dynamically passed to page from aws cli). After authentication the final webpage is returned:
I updated my provider to remove the shared credential file (now using the sso profile):
provider "aws" {
alias = "env_e1"
#shared_credentials_file = "../credentials"
profile = "mylab-dev"
region = "us-east-1"
}There are no keys in the .aws/credentials file. Take a look in the .aws/configure file and you’ll see something like:
[profile mylab-dev]
sso_start_url = https://thenewtonlab.awsapps.com/start#
sso_region = us-east-1
sso_account_id = 000000000000
sso_role_name = AWSAdministratorAccess
region = us-east-1
So now my code is keyless like my car. All is as it should be.
Happy Building,
D