如何为Terraform配置AWS MFA?

时间:2017-08-15 09:31:44

标签: amazon-web-services terraform multi-factor

我想为Terraform执行MFA,因此我们需要从我的虚拟MFA设备中查询每个terraform [command]的6位数令牌。阅读文档后: cli-roles terraform mfa 我创建了一个角色:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::[ACCOUNT_ID]:user/testuser"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

默认情况下,此用户被迫使用MFA,我为他配置了一个虚拟MFA设备。

〜/ .aws /凭证:

[default]
...

[terraform_role]
role_arn = arn:aws:iam::[ACCOUNT_ID]:role/terraform-test-role
source_profile = default
mfa_serial = arn:aws:iam::[ACCOUNT_ID]:mfa/testuser

在我的Terraform环境中,我放置了以下内容:

provider "aws" {
  profile = "terraform_role"
}

但是当我运行terraform plan时,它会抛出一个错误:

Error refreshing state: 1 error(s) occurred:

* provider.aws: No valid credential sources found for AWS Provider.
  Please see https://terraform.io/docs/providers/aws/index.html for more information on
  providing credentials for the AWS Provider

1 个答案:

答案 0 :(得分:3)

解决方案是指定assume_role语句:

provider "aws" {
  profile = "default"
  assume_role {
    role_arn = "arn:aws:iam::[ACCOUNT_ID]:role/terraform-test-role"
  }
}
相关问题
最新问题