Prior to seeing your response, I came up with a solution, or at least a way forward that works for now to continue with a POC – It’s to call the AWS Secure Token Service from within the terraspace boot hook to extract some temporary creds. I can then set those in the environment for use during the terraspace config phase. Code looks something like this (pardon my ruby…):
# config/boot.rb
require 'aws-sdk-sts'
require 'json'
# dynamically build up a role to assume and assume it
# for the terraspace config phase
region = ENV['AWS_REGION'] || 'us-east-1'
team = ENV['TS_TEAM']
type = ENV['TS_TYPE'] || 'service'
env = ENV['TS_ENV'] || 'qa'
count = Integer(ENV['TS_COUNT'] || 1)
account_alias = ENV['TS_ALIAS'] || "#{team}-#{env}-#{type}-#{sprintf('%02d',count)}"
# TODO - dynamically look this information up. For now have a local config
account_data = JSON.parse(File.read('config/account_data.json'))
account_id = account_data.find { |act| act['alias'] == account_alias }['account_id']
role="arn:aws:iam::#{account_id}:role/MyRole"
ENV['AWS_REGION'] = region
params = {
role_arn: role,
role_session_name: ENV['USER'],
}
res = Aws::STS::Client.new.assume_role(params)
ENV['AWS_ACCESS_KEY_ID'] = res.credentials.access_key_id
ENV['AWS_SECRET_ACCESS_KEY'] = res.credentials.secret_access_key
ENV['AWS_SESSION_TOKEN'] = res.credentials.session_token
# remove reference to outer profile -- use above creds instead
ENV.delete('AWS_PROFILE')
I gave that a try and it works! Terraspace namespace gets set to the my assume_role account, and the friendly name feature you add worked nicely to replace it with my account alias.
With this authentication piece out of the way, I look forward next week to experimenting more with building out our various tfvars layers and see if we can iterate over the combination of teams/env/accounts/regions and and get our plans running clean via terraspace.
Thanks again for continued help and suggestions. Very clever framework. Cheers.
P.S - I’m curious how your aws-mfa-secure tool works, and will take a look, but most likely we’d continue using aws-vault which works well for us. It’s handy to store creds in desktop keychain, popup modal window for entering MFA, and caching session creds as well. We also have some workflows using SAML and maybe eventually AWS SSO. It’ll be interesting to see how that plays out with terraspace but it seems with the boot hook there’s probably a way through any hurdles.