Are you wondering how to use AWS AssumeRole with Terraform Provider? Our AWS Support team is here to lend a hand with your queries and issues.

AWS AssumeRole with Terraform Provider

Basically, AWS AssumeRole allows an IAM user to use security credentials from one AWS account to request temporary security credentials to access other AWS accounts by assuming roles in those accounts.

This allows an IAM user to access multiple AWS accounts without creating security credentials in each AWS account.

Today, let us see how we can use AssumeRole with the Terraform AWS Provider

For example, Terraform will configure to connect to AWS Account A, request temporary security credentials for AWS Account B.

And then AssumeRole to assume a role in AWS Account B to manage the resources within AWS Account B.

Terraform will only need the security credentials for AWS Account A even though it will manage resources in AWS Account B via AssumeRole.

1. Firstly, create an IAM role within AWS Account B that Terraform will AssumeRole into.

• From within the AWS console of AWS Account B, navigate to IAM > Roles > Create role > Another AWS account.
• Enter the Account ID of Account A (the account Terraform will call AssumeRole from).
• (Optional) Check the box for “Require external ID”. This ensures requests coming from Account A can only use AssumeRole if these requests pass the specified external ID.
• (Optional) Check the box for “Require MFA”. This ensures requests coming from Account A can only use AssumeRole if the IAM user has authenticated via MFA.

2. Next, the AWS Terraform provider must be configured to use AssumeRole.

The code snippet below shows how to configure Terraform to connect to AWS Account A and AssumeRole into a role within AWS Account B.

provider "aws" {
# The security credentials for AWS Account A.
access_key = "AKIAXXXXXXXXXXXXXXXX"
secret_key = "123XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
region = "us-east-1"

# (Optional) the MFA token for Account A.
token = "123456"

assume_role {
# The role ARN within Account B to AssumeRole into. Created in step 1.
role_arn = "arn:aws:iam::01234567890:role/role_in_account_b"
# (Optional) The external ID created in step 1c.
external_id = "my_external_id"
}
}

3. Initialize Terraform using Terraform CLI or via Terraform Enterprise.
4. Attempt to create a test resource and verify that the resource has been created in AWS Account B.

Conclusion

To sum up, our Support Engineers demonstrated how to use AWS AssumeRole with Terraform Provider with ease.