The AWS provider configuration gives you the option to authenticate through IAM Roles or access keys as well as options for each authentication method:
The configuration can be set up in the UI, below you will find examples of how to do this the Scalr provider.
Service Trusted Entities
Service trusted entities give you the ability to add roles with AWS service trusts. In this case, a role is added to a Scalr agent and no credentials are needed in Scalr at all. This allows using different roles for different workspaces on a single server used for the agent. This will not require wide permissions assigned to the VM instance profile.
For example:
resource "scalr_provider_configuration" "aws" {
name = "aws_service_example"
account_id = "acc-sscctbisjk12345"
export_shell_variables = false
environments = ["*"]
aws {
account_type = "regular"
credentials_type = "role_delegation"
trusted_entity_type = "aws_service"
role_arn = "arn:aws:iam::670025221234:role/service_agent"
}
}
Scalr Account Trusted Entity
Scalr account trusted entity credentials use IAM roles that have a trusted relation with
a Scalr AWS account, specifically 919814621061. No keys are needed, just the trust.
resource "scalr_provider_configuration" "aws" {
name = "aws_account_example"
account_id = "acc-sscctbisjk13345"
export_shell_variables = false
environments = ["*"]
aws {
account_type = "regular"
credentials_type = "role_delegation"
trusted_entity_type = "aws_account"
role_arn = "arn:aws:iam::6700252123456:role/user"
external_id = "dOtbGEdaiXD12345"
}
}
The role must be created in AWS and the ARN of the role entered into
Scalr as seen above.
Please refer to IAM Role Delegation for details of setting up the role with a trusted relationship to the Principal account shown on the credentials screen. The external ID shown must be used in the role configuration.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::919814621061:user/scalr-saas"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<external-id>"
}
}
}
]
}
Temporary Credentials
Temporary AWS credentials give you the ability to always use a new set of keys in each Terraform run. To use temporary keys, a primary access and secret key must be added to Scalr and then Scalr will automatically generate temporary keys
for each run. The keys are deleted after 2 hours or after the plan or apply times out.
resource "scalr_provider_configuration" "aws" {
name = "temp_creds"
account_id = "acc-sscctbisjkl1234"
export_shell_variables = false
environments = ["*"]
aws {
account_type = "regular"
credentials_type = "access_keys"
secret_key = "<secret_key>"
access_key = "<access_key>"
}
}
Account Trusted Entity
Account trusted entities are different than the Scalr account trusted entities in that you are not adding the Scalr AWS account as the trusted entity. In this case, you are creating an AWS user, creating a new role, sharing the rule trust with the user and then adding the user with the credentials in Scalr. See more on IAM Role Delegation.
resource "scalr_provider_configuration" "aws" {
name = "aws_account_example"
account_id = "acc-sscctbisjk13345"
export_shell_variables = false
environments = ["*"]
aws {
account_type = "regular"
credentials_type = "role_delegation"
trusted_entity_type = "aws_account"
access_key = "<access-key>"
secret_key = "<secret-key>"
role_arn = "arn:aws:iam::6700252123456:role/user"
external_id = "dOtbGEdaiXD12345"
}
}
See all of the provider configuration docs here
Updated 6 months ago