we want to secure all AWS accounts using MFA. There is a solution for terraform aws provider so terraform can automatically use user Virtual MFA to generate 6-digit token without asking on every run to allow non-interactive use case ?
I’m not aware of an MFA implementation that can be run completely non-interactively - I think that kinda defeats the purpose.
I suggest you take a look at Basefarm’s aws-session-tool which is designed to work together with Terraform’s assume-role support and reduce the number of times you need to do MFA authentication during a normal working day.
For fully hands-off runs, I think you should use a dedicated role with minimal privs which can only be assumed from the automation user account. And then supplement with rotating credentials at regular intervals.
… or maybe look into how Vault can help you issue short-lived credentials. Yeah, that’s probably the best way of doing it
thank you. You’are probably right about Vault way, we go deep on Vault solution as soon as possible to check if it’s feasible.
Minimal privs or not MFA user creds for production deployment are not an option and having “some type” of creds on a build (or related) machine is always necessary (including Vault solutions , I suppose - e.g. info to allow Vault access).
As terraform support aws profile, as we analyze Vault solutions, we’ll try to see if following solution works
also this can be an option: