I want to perform MFA for Terraform so it's expected to ask the 6-digit token from my virtual MFA device for every terraform [command]
. After reading the documentation:
cli-roles
terraform mfa
I created a role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[ACCOUNT_ID]:user/testuser"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
This user is forced to use MFA by default and I have a configured virtual MFA device for him.
~/.aws/credentials:
[default]
...
[terraform_role]
role_arn = arn:aws:iam::[ACCOUNT_ID]:role/terraform-test-role
source_profile = default
mfa_serial = arn:aws:iam::[ACCOUNT_ID]:mfa/testuser
in my Terraform environment I placed the following:
provider "aws" {
profile = "terraform_role"
}
But when i run terraform plan
it throws me an error:
Error refreshing state: 1 error(s) occurred:
* provider.aws: No valid credential sources found for AWS Provider.
Please see https://terraform.io/docs/providers/aws/index.html for more information on
providing credentials for the AWS Provider
You can provide Terraform with an AWS access key directly through the provider, but we recommend that you use a credential profile already configured by one of the AWS Software Developer Kits (SDKs).
Go to the Microsoft 365 admin center at https://admin.microsoft.com. Select Show All, then choose the Azure Active Directory Admin Center. Select Azure Active Directory, Properties, Manage Security defaults. Under Enable Security defaults, select Yes and then Save.
The solution is to specify an assume_role
statement:
provider "aws" {
profile = "default"
assume_role {
role_arn = "arn:aws:iam::[ACCOUNT_ID]:role/terraform-test-role"
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With