Open timoguin opened 5 years ago
Thank you for the meaty response! If you have the chance to contribute any specific tests, that would be much appreciated. Otherwise, I'll work to tease out the various stories here - in time. 👍
Thanks! I'm hoping to contribute, just wanted to organize my thoughts here a bit and make sure I wasn't too far off!
No, you're right on target. I'm currently adding a few more tests so, hopefully, there will be enough to given plenty of examples. I'm using Makefiles per test to make running more consistent with the idea of adding an automation layer at some point. Thanks for your thoughts!
First off, thank you for starting work on this. It seems desperately needed.
My primary needs for this are assuming roles via Terraform, so that is primarily where my head is at. I've attempted to include other methods I can think of, and to order the list(s) by precedence. I'd like for us to get all the test cases at least written down, so it's easier to contribute. I've included all the use cases I can think off.
Assume role via Terraform backend, provider, and remote state configs
These options should all assume the configured role(s) when the assume role blocks and/or arguments are passed. Terraform should be using it's own libraries (aws-sdk-go-base) to do the role assumption.
Credentials can be passed from the following sources:
-var
or-var-file
CLI flagsTF_VAR_
env varsAWS_ACCESS_KEY_ID
, etc)ECS_CONTAINER_METADATA_FILE
andAWS_CONTAINER_CREDENTIALS_RELATIVE_URI
env vars)AWS_METADATA_URL
env varAWS_SHARED_CREDENTIALS_FILE
env var)credential_process
option in AWS config/credentials filesThese should all work from both standard IAM credentials as well as temporary session credentials.
AWS_PROFILE env var
There is also the
AWS_PROFILE
env var that has to be handled a bit differently. This can be passed to Terraform the with the following config methods:The AWS_PROFILE option is ignored if the AWS credentials are specified. To load the profile from env vars, Terraform also requires the
AWS_SDK_LOAD_CONFIG
var set to a truthy value.Static credentials
These should all use the normal AWS SDK order of precedence, while also preferring the Terraform config options:
References: