amazon-web-servicesterraformopenid-connectassume-roleterraform-cloud

Assume role in different account using an assumed role with web identity


I am using terraform HCP and AWS, I am using what it is considered to be a best practice, using dynamic credentials (Hcp dynamic credentials with aws)

This is my setup:

in terraform HCP I have an organization, a landing zone project and a workspace, this workspace contains a variable set with the role ARN to connect to the aws identity provider

Terraform HCP

On the AWS side I have two accounts, my main management account and a sandbox account, I have created an identity provider, a role with a trust relationship to allow terraform HCP to create tokens and authenticate without keys, and a policy for the role, all these resources are in the main account.

With this setup I can create resources on the main account.

What I need now is to create resources on the sandbox account using the same tfc_role role.

So far what I have tried is to create a role on the sandbox account, and create a trust relationship granting the tfc-role on the main account the sts:AssumeRole action

AWS

Main account

Resource Type Resource Name
aws_iam_openid_connect_provider tfc_provider
aws_iam_role tfc_role
aws_iam_policy tfc_policy
aws_iam_role_policy_attachment tfc_policy_attachment

Sandbox account

Resource Type Resource Name
aws_iam_role sandbox_admin

Trust relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::MainAccount:role/tfc-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

In my terraform main file, I am using provider

"aws" {
  region = "us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::SandboxAccount:role/sandbox_admin"
  }
}

but after running terraform apply, I get this error:

Error: Cannot assume IAM Role
│
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on main.tf line 1, in provider "aws":
│    1: provider "aws" {
│
│ IAM Role (arn:aws:iam::SandboxAccount:role/sandbox_admin) cannot be
│ assumed.
│
│ There are a number of possible causes of this - the most common are:
│   * The credentials used in order to assume the role are invalid
│   * The credentials do not have appropriate permission to assume the role
│   * The role ARN is not valid
│
│ Error: operation error STS: AssumeRole, https response error StatusCode:
│ 403, RequestID: 3a65fec2-5949-4780-80d2-0dee0bbc1dae, api error
│ AccessDenied: User:
│ arn:aws:sts::MainAccount:assumed-role/tfc-role/terraform-run-5TUJaemxpcE435KD
│ is not authorized to perform: sts:AssumeRole on resource:
│ arn:aws:iam::SandboxAccount:role/sandbox_admin
│

So far that is what I have tried, what I am expecting is to be able to use the tfc_role to assume a role on another account so I am able to create resources in other aws accounts from the main account.

I have been searching for documentation but still haven't found what I am looking for

https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html


Solution

  • I was able to get this working, the only thing I was missing was the statement in the tfc_policy, this allows the role tfc_role to assume the sandbox_admin role on the sandbox account

    {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::{SandboxAccount}:role/sandbox_admin"
            ]
        }