I am using terraform HCP and AWS, I am using what it is considered to be a best practice, using dynamic credentials (Hcp dynamic credentials with aws)
This is my setup:
in terraform HCP I have an organization, a landing zone project and a workspace, this workspace contains a variable set with the role ARN to connect to the aws identity provider
Terraform HCP
On the AWS side I have two accounts, my main management account and a sandbox account, I have created an identity provider, a role with a trust relationship to allow terraform HCP to create tokens and authenticate without keys, and a policy for the role, all these resources are in the main account.
With this setup I can create resources on the main account.
What I need now is to create resources on the sandbox account using the same tfc_role role.
So far what I have tried is to create a role on the sandbox account, and create a trust relationship granting the tfc-role on the main account the sts:AssumeRole action
AWS
Main account
| Resource Type | Resource Name |
|---|---|
| aws_iam_openid_connect_provider | tfc_provider |
| aws_iam_role | tfc_role |
| aws_iam_policy | tfc_policy |
| aws_iam_role_policy_attachment | tfc_policy_attachment |
Sandbox account
| Resource Type | Resource Name |
|---|---|
| aws_iam_role | sandbox_admin |
Trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MainAccount:role/tfc-role"
},
"Action": "sts:AssumeRole"
}
]
}
In my terraform main file, I am using provider
"aws" {
region = "us-east-1"
assume_role {
role_arn = "arn:aws:iam::SandboxAccount:role/sandbox_admin"
}
}
but after running terraform apply, I get this error:
Error: Cannot assume IAM Role
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 1, in provider "aws":
│ 1: provider "aws" {
│
│ IAM Role (arn:aws:iam::SandboxAccount:role/sandbox_admin) cannot be
│ assumed.
│
│ There are a number of possible causes of this - the most common are:
│ * The credentials used in order to assume the role are invalid
│ * The credentials do not have appropriate permission to assume the role
│ * The role ARN is not valid
│
│ Error: operation error STS: AssumeRole, https response error StatusCode:
│ 403, RequestID: 3a65fec2-5949-4780-80d2-0dee0bbc1dae, api error
│ AccessDenied: User:
│ arn:aws:sts::MainAccount:assumed-role/tfc-role/terraform-run-5TUJaemxpcE435KD
│ is not authorized to perform: sts:AssumeRole on resource:
│ arn:aws:iam::SandboxAccount:role/sandbox_admin
│
So far that is what I have tried, what I am expecting is to be able to use the tfc_role to assume a role on another account so I am able to create resources in other aws accounts from the main account.
I have been searching for documentation but still haven't found what I am looking for
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
I was able to get this working, the only thing I was missing was the statement in the tfc_policy, this allows the role tfc_role to assume the sandbox_admin role on the sandbox account
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::{SandboxAccount}:role/sandbox_admin"
]
}