Support MFA on AWS

[philk]

It looks like Terraform doesn't currently support using Multi-factor Auth for AWS (unless I'm missing something). Not currently a major issue for us but we'd love to be able to use it in the future.

Useful links:

• AWS Security Token Service
• Boto's implementation

[mitchellh]

What sort of workflow or user experience are you looking for here? It isn't documented but Terraform accepts the AWS_TOKEN environmental variable, which you can use to set the token.

[philk]

I didn't see an AWS_TOKEN variable greping through the source or actually any references to tokens in AWS.

As for workflow, if Terraform could automatically detect that MFA is required and ask for the token that would be amazing...but I'm not really sure how you could do that with the AWS APIs without adding a lot of complexity.

I'm kind of imagining something like specifying MFA=true in the provider and having to set your credentials via environment variables or dropping them into a var file before runtime out of band (similar to the way you have to handle keys already), erroring out if session_token isn't set and multifactor_auth is set.

provider "aws" {
    access_key = "${var.access_key}"
    secret_key = "${var.secret_key}"
    session_token = "${var.session_token}"
    multifactor_auth = true
    region = "${var.aws_region}"
}

If Terraform could respond to just multifactor_auth = true and ask the user for a session token at runtime I think that would be an even more seamless workflow.

[mitchellh]

It is possible, but I think MFA is sufficiently rare (for better or worse, another discussion) that the environmental variable will do. I think its already supported so this is likely just a docs change.

[brianwallace]

Found it in goamz. Looks like the environmental variable name is AWS_SECURITY_TOKEN.

[sciurus]

Will terraform use AWS_SESSION_TOKEN? This is the environment variable that tools build on the AWS SDK read when a user has authenticated with MFA. If so, you could run terraform via aws-mfa.

[koendc]

In order to use the AWS security token, you need to:

• provide empty strings for access_key and secret_key:

    provider "aws" {
        access_key = ""
        secret_key = ""
    }

• Make sure you don't have the environment variables set as mentioned in the terraform documentation
• Use these environment variables instead: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SECURITY_TOKEN.

[mitchellh]

FIxed

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.