Good afternoon, I’m in an internal project of mine, and I have the following problem:
I need to deploy my structure created with terraform, through the aws CodeBuild, but I don’t want to use the aws “Access Keys”, which makes terraform able to access the aws api. And also as a form of security not to be generating these keys frequently.
Is there any other way for terraform via codebuild to be able to connect to aws? Using “IAM roles” for example?
Terraform uses the credential providers in the same order as the AWS SDK credential chain:
- Parameters in the provider configuration
- Environment variables
- Shared credentials files
- Shared configuration files
- Container credentials
- Instance profile credentials and region
Source: Terraform Registry
Example of how you can use IAM roles:
provider "aws" {
assume_role {
role_arn = "arn:aws:iam::123456789012:role/ROLE_NAME"
session_name = "SESSION_NAME" ### optional
external_id = "EXTERNAL_ID" ### optional
}
}
How well that integrates with CodeBuild I can’t say since I don’t use it but I would assume that a CodeBuild runner already has an identity attached to it that could be configured to assume another role (the one used by Terraform).