I’m trying to go off of this guide to hook up my AWS account to TFC. I’m new to TFC, and I’m a little confused how to set this up. I think I have most of this set up correctly, but I’m not making the connection on how the tfc_aws_dynamic_credentials variable is supposed to be used. Is this supposed to work as-is, or does the doc not mention a tfvars entry that points shared_config_file somewhere on my local machine or in the nebulous file structure in TFC? Can someone line this up for me that is a little less recursive? My brain is turning to mush and this is making less sense the more I read through it.
EDIT: A little more info-
I have gone through the setup guide and I’m getting the following error trying to run a plan from my local machine:
│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ AWS Error: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, https response error StatusCode: 403, RequestID: <redacted> api error AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
My main and var files are set up verbatim to the guide.
My trust policy looks just like the one in the guide:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<redacted>:oidc-provider/app.terraform.io"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"app.terraform.io:aud": "aws.workload.identity"
},
"StringLike": {
"app.terraform.io:sub": "organization:<redacted>:project:AWS_Prod:workspace:Main:run_phase:*"
}
}
}
]
}
Am I missing something?