I'm working on a Terraform project where I need to create an AWS IAM user and generate programmatic access keys for them. My current approach involves exporting these keys through the outputs.tf file and then using them in a separate module linked to AWS Secrets Manager for secure storage.
I have concerns about this method, particularly regarding the security implications of exposing access keys, even temporarily, in the Terraform state file (terraform.state). While I understand the importance of securing the state file, I'm wondering if this approach is standard or advisable.
An alternative I'm considering is creating the IAM user and keys outside of Terraform and then injecting the access keys into the project via the terraform.tfvars file.
Could someone advise on the best practices for this scenario? Specifically, I'm interested in:
The pros and cons of managing IAM users and their access keys directly within Terraform, especially concerning security best practices.
Whether creating IAM users outside of Terraform and then passing the keys through terraform.tfvars is a safer or more recommended approach.
Any other considerations or recommended strategies for securely managing IAM credentials in Terraform configurations.
Thank you in advance for your insights and recommendations!
The pros and cons of managing IAM users and their access keys directly within Terraform, especially concerning security best practices.
I agree that storing access keys in the state file, no matter how secure, is not ideal. The only pro I can think of is convenience, given there are resources for managing this. You have already identified the cons to my mind.
Whether creating IAM users outside of Terraform and then passing the keys through terraform.tfvars is a safer or more recommended approach.
This is certainly a better approach in terms of security.
A middle-ground I would suggest would be to define the IAM users in Terraform, and then delegate to an external source for generating the access keys.
I have used a null_resource
in the past to trigger a script so that nothing sensitive ends up in my state file.
Any other considerations or recommended strategies for securely managing IAM credentials in Terraform configurations.
As I hinted above, I'll outline how this can be done:
resource "aws_iam_user" "example" {
name = "my-example"
path = "/"
}
resource "null_resource" "generate_keys" {
depends_on = [
aws_iam_user.example,
]
triggers = {
# rerun this only if the user is recreated
id = aws_iam_user.example.unique_id
}
provisioner "local-exec" {
interpreter = ["/bin/bash", "-c"]
command = "${path.module}/scripts/create_keys.sh ${aws_iam_user.example.arn}"
}
}
Where create_keys.sh
is a script which would take the ARN of the IAM User as an input and call aws iam create-access-key...
.
I am using bash here just as an example -- you could write this in any language/tool that you could invoke via the null_resource
.
The logic of your script could directly write the keys to the Secrets Manager secret using aws secretsmanager put-secret-value...
-- which would be an ideal solution; great to here you're already using Secrets Manager :).