I have an infra in Terraform that manages resources of two accounts: a main one and a child one (sandbox). The goal is to write cross-account policies & roles to allow export of resources from ACM, Route53 etc.
Here is my backend and provider configuration:
terraform {
required_version = "~> 1.7.0"
backend "s3" {
# Backend lives in main account
bucket = "test-bucket-backend"
key = "terraform.tfstate"
region = "us-east-1"
encrypt = true
dynamodb_table = "test-bucket-backend"
}
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.34.0"
}
}
}
provider "aws" {
# Main account
shared_config_files = [var.identity_center_config_files]
shared_credentials_files = [var.identity_center_credentials_files]
profile = var.identity_center_main_profile_name
}
provider "aws" {
# Child account
alias = "sandbox"
shared_config_files = [var.identity_center_config_files]
shared_credentials_files = [var.identity_center_credentials_files]
profile = var.identity_center_sandbox_name
}
If I run terraform init
with this I get the following result:
Initializing the backend...
╷
│ Error: Failed to get existing workspaces: Unable to list objects in S3 bucket "test-bucket-backend": operation error S3: ListObjectsV2, https response error StatusCode: 403, RequestID: <REDACTED>, HostID: <REDACTED>, api error AccessDenied: Access Denied
Now if I change this snippet to include the credentials of the main account in my backend configuration like this:
terraform {
required_version = "~> 1.7.0"
backend "s3" {
bucket = "test-bucket-backend"
key = "terraform.tfstate"
region = "us-east-1"
encrypt = true
dynamodb_table = "test-bucket-backend"
access_key = "ACCESS_KEY"
secret_key = "SECRET_KEY"
}
... // the rest of the config
}
Then it does init as intended. However I don't want to have to use this configuration because a. it defeats the purpose of using AWS Identity Center (since I have to setup credentials of a traditional IAM role anyways) and b. I could export them as environment variables but my goal is to have minimum prerequisites for my colleagues.
When I run aws sts get-caller-identity
I get a random user (I believe this is due to Identity Center as I use aws sso login --profile <main/sandbox>
).
How can I modify my config so that I don't have to set IAM keys in the backend?