[GH-1275] Support for AWS access via IAMs AssumeRole functionality

[imduffy15]

This commit enables terraform to utilise the assume role functionality
of sts to execute commands with different privileges than the API
keys specified.

Feedback very much so welcome, this was thrown together as a quick hack.

Signed-off-by: Ian Duffy ian@ianduffy.ie

[jen20]

Hi @imduffy15! Thanks for submitting a pull request here. I need to make some modifications to this in order to allow for some of the other behaviour we need to support, but I'm going to base them off your work and merge my in-progress stuff into this. I'll probably open a new pull request once this is done for a combined review, so will leave this open for now and reference it then.

[imduffy15]

Cool! Thanks James.

On Friday 2 September 2016, James Nugent notifications@github.com wrote:

Hi @imduffy15 https://github.com/imduffy15! Thanks for submitting a
pull request here. I need to make some modifications to this in order to
allow for some of the other behaviour we need to support, but I'm going to
base them off your work and merge my in-progress stuff into this. I'll
probably open a new pull request once this is done for a combined review,
so will leave this open for now and reference it then.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#8506 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABL5KxXRSp5CTp8T7M6UG6qQDyG2UkThks5qmFoVgaJpZM4JuksE
.

[jen20]

Hi @imduffy15! Did you manage to verify the version from this PR as working correctly?

[imduffy15]

Yes. I tested with the following:

provider "aws" {
    alias = "a"
    region = "eu-west-1"
    role_arn = "arn:aws:iam::<REMOVED>:role/ADMIN"
}

provider "aws" {
   alias = "b"
   region = "eu-west-1"
   role_arn = "arn:aws:iam::<DIFFERENT-REMOVED>:role/ADMIN"
}

resource "aws_iam_role" "testa" {
  provider = "aws.a"
  name               = "test"
  assume_role_policy = "${file("policies/AssumeRoleLambda.json")}"
}

resource "aws_iam_role" "testb" {
  provider = "aws.b"
  name               = "test"
  assume_role_policy = "${file("policies/AssumeRoleLambda.json")}"
}

The role was successfully created on both accounts.

[jen20]

Thanks @imduffy15 - how were you supplying credentials to Terraform in order to assume the role on this run?

[imduffy15]

I was using ~/.aws/credentials with the profile [default]

[jen20]

Hi @imduffy15! Thanks for this, I've changed it round a bit and opened #8638 - I'd be appreciative of any comments you have there!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.