I’ve got a terraform stack which uses credentials in order to perform various functions, but I would like to use the IAM instance profile in order to retrieve a user data script from an S3 bucket in another account. I’ve confirmed that I can retrieve the file using the aws cli on Linux with
aws s3 cp s3://bucket/prefix/file.sh .
However, when I run terraform plan, it complains that it can’t access the file located in S3 which is true - most of terraform is running with actual AWS credentials, but the bucket policy on the S3 bucket is configured to allow access to the InstanceProfile.
How do I configure the data “aws_s3_object” section to not use the profile which is specified in the provider “aws” section and just use the InstanceProfile?
Hi @rkulagowski,
The hashicorp/aws provider does not support using different credentials for individual resources because the provider internally creates a single AWS SDK client to share across all operations.
However, Terraform itself supports multiple configurations for the same provider. Terraform supports both “default” and “additional” configurations for each provider, where (as the name suggests) the default is used automatically if you don’t specify a configuration to use explicitly.
Here’s the general shape of specifying both a default and an additional configuration for this provider and then associating one resource with the additional configuration:
provider "aws" {
# no "alias" argument here, so
# this is the default config for
# the provider.
# ...
}
provider "aws" {
# The presence of this argument
# makes this an "additional"
# configuration for the provider,
# and specifies the name to use
# to refer to it.
alias = "foo"
}
resource "aws_s3_object" "example" {
# The optional "provider" argument
# allows selecting a non-default
# provider configuration.
provider = aws.foo
# ...
}