Hello,
i need to perform a seemingly simple operation of creating a number of AWS users.
the simplified example :
variable "users" {
description = "A list of users, their KeyBase accounts and groups. Groups should match the list in \" groups \" "
type = map(object({
user_name = string,
key_base = string,
groups = list(string)
}))
default = {
"user0" = {
user_name = "user0",
key_base = "user0_keybase",
groups = [
"Test_GRP"]
},
"pg" = {
user_name = "pg",
key_base = "pg",
groups = [
"Test","Test_1"]
}
}
}
...
resource "aws_iam_user_login_profile" "user_profile" {
for_each = var.users
user = each.value.user_name
pgp_key = "keybase:${each.value.key_base}"
password_reset_required = true
}
This code returns :
Error: error retrieving GPG Key during IAM User Login Profile (pg) creation: Error retrieving Public Key for keybase:pg: unable to fetch keys for user(s) "pg from keybase
│ with aws_iam_user_login_profile.user_profile[“pg”],
│ on user.tf line 66, in resource “aws_iam_user_login_profile” “user_profile”:
│ 66: resource “aws_iam_user_login_profile” “user_profile” {
The workflow is very simple:
1. create a number of aws users with initial passwords
2. send each user their credentials
3. each user will login and forced to change the initial random password.
4. the pass/username is stored in keybase as an output file.
Question:
if i have to encrypt _all_ users passwords with the key of the user logged into keybase at the moment terraform is run,
how can aws users decrypt their passwords, so that they can log in to the AWS?