We use a lot of different AWS accounts, so rather than managing credentials across all of them we have built a model where one is strictly used for managing users accounts (both locally and via ADFS). From there, all of our interactive and automated logins use STS to assume roles in other accounts. As we started to dive more into Terraform, I was excited to find that they supported this with the aws_assume_role resource.
However, as we started to implement this, we quickly ran into a problem: the terraform command itself doesn’t support assuming a role in another account, so we would either need to store the state files in one account (in this case, our auth account), or figure out how to allow the auth account to put the files an S3 bucket of the account we are working with. since I don’t want to store ANY data in the auth account, I had to go figure out how to give users from my auth account access to the account I am working on. In the end, it was relatively straight forward. I just need to add a bucket policy in the target account and a policy in the auth account that I then attached to my team’s user group.
The first step is to create a bucket policy that allows my user to list the contents of the file and to also be able to get and put the state files. I could probably lock the policy down more, and only restrict it to the terraform-state folder that I have in my bucket, but since I have full access outside of terraform anyways, I didn’t think it was as important. This is the policy I used:
Once the bucket policy was in place, I added the below role to my auth account and attached it to my user group. I figure as I put more accounts under Terraform control, I’ll just add additional resources.
Once the two policies were in place, Terraform was able to use the S3 bucket in the account we building out.