Terraform Cloud Remote execution mode and AWS assumed role

Hi there,

I followed this tutorial:

Everything is great until I reached the store remote state section at the end.
It says in the guide that Terraform Cloud will now run in remote execution mode.
You then get told to add secret key and key id to the Terraform Cloud user interface environment variables. All not a problem.
However, my organisation requires me to run as an assumed role and MFA. This is setup ok for my AWS Cli when running Terraform local execution like so:


[profile mfa]
role_arn = xxxx
source_profile = ho-mfa


aws_access_key_id = xxxx
aws_secret_access_key = xxxx
aws_session_token = xxxx

When it now switches to remote execution I get an unauthorised error to access AWS resources. I believe this is because I also need to add my MFA token and assumed role details to the environment variables in the Terraform cloud user interface. I cannot find any guides to show me how to do this. Is this even possible to do?
I hate leaving tutorials unfinished.

Many thanks for any help or guidance.

Just giving this a quick bump. It does bug me that I cannot finish the tutorial to completeness.

Is it even possible to run Terraform cloud remote execution with an assumed role and MFA token?


Hi @RobJohnson-HO,

Since Terraform Cloud is an automated system running unattended, rather than a particular individual running Terraform directly, it’s typical to provide Terraform Cloud with its own specialized credentials that don’t match the credentials used by any particular human operator. In that case, it can be reasonable to configure that special user account in a different way that’s more appropriate for automated use without requiring extra settings.

However, sometimes AssumeRole is used to authenticate to a single “administrative account” and then access various environment-specific accounts from there, in which case the role to assume becomes something that must be consistent for everyone working with that particular Terraform configuration, rather than something that varies by operator. For that situation, I’d typically suggest placing the assume role setting inside the provider configuration in the main configuration file, alongside the region name, since those two settings together serve to define where the infrastructure should exist, rather than who or what is running Terraform:

provider "aws" {
  region = "eu-west-1"

  assume_role {
    role_arn = "..."

The above is a reasonable approach both for local Terraform usage and remote operations in Terraform Cloud, because it ensures that everyone working with this configuration will be acting as the designated role and will thus be working in the correct AWS account.

Hi @apparentlymart,

I am facing the exact same problem and posted my issue here . Really, appreciate your help!

Thanks @apparentlymart, I will try that now.

As an aside, if the files are to be stored in source control, wouldn’t this be a security concern? Exposing your assume role in source control. As it is running through Terraform Cloud, is there a way to load it in as a secret var from the environment variables?