Terraform
Tokenless Terraform using SAML.to
Last updated
Tokenless Terraform using SAML.to
Last updated
The SAML.to can be used for authentication to AWS and can be used with the terraform
CLI or any tool that supports Terraform (such as terragrunt
).
This document will detail how to use SAML.to to authenticate to AWS to run Terraform commands with Tokenless Authentication.
Create a terraform-runner
role (or whatever name you prefer) that has a .
In saml-to.yml
, grant access to GitHub Users to assume terraform-runner
:
Ensure the role is functional:
And run terraform init
to ensure you have access to the State File.
Create a second role in whatever AWS account you'd like, terraform-applier
(or whatever you want to call it) that grants terraform-runner
the ability to assume it:
It's not necessary to declare terraform-applier
in the saml-to.yml
. Role Assumption in Terraform uses STS Role Assumption internally and relies on IAM trust relationships!
Configure role assumption in Terraform:
And run Terraform commands:
If you want to make a second role in the same or another account, see .
Save the temporary credentials to ~/.aws/credentials
using the --save
flag on the :
!