AWS aws_iam_access_key - Where/How to save the secret

Hey all,

So I’d like to manage our AWS IAM users using terraform. Part of this is creating users with programmatic access (Access Key & Secret Key). How would I accomplish this using terraform? I can use https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key

but where would it save the Access/Secret key? In the state file? Is it possible to save this elsewhere (I don’t want it to print to stdout as we run this in a pipeline).

Fairly new to terraform so help will be appreciated

1 Like

The community IAM module at GitHub - terraform-aws-modules/terraform-aws-iam: Terraform module which creates IAM resources on AWS can be used to wrap some of the common IAM functionality into easier to use methods.

One of the options for the aws_iam_access_key resource allows you to supply a PGP key. The access key is then returned as an encrypted string.

Alternatively you could store the values in Vault by using the Vault Terraform provider.

Note that if you are using the unencrypted secret key (i.e. are not passing in a PGP key to use) you must treat the state file with care as it will now contain all the cleartext keys - ensure access to your remote state is correctly restricted as well as handling of your local state cache.