But this requires the AWS user or role loaded in the environment (or the profile passed as aws_rds_iam_profile) to have the capability to get the RDS credentials.
In our use case, we run this in conjunction with the AWS provider. We do not configure the AWS role running terraform to get the RDS password, but instead, we have a intermediate role that can be assumed for that.
In order to support this use-case, the prostgres provider should support assuming a role before generating the RDS password.
Assume the AWS roles in order, arn:aws:iam::123456789:role/account_admin, then my_rds_instance_master_role
generate the AWS password
This is really handy if you have a umbrella account/user and want to first assume some intermediate admin role, then the role that can connect to the RDS instance.
Feature request:
We recently added the feature or RDS IAM https://github.com/cyrilgdn/terraform-provider-postgresql/pull/134 which is great :partying_face:
But this requires the AWS user or role loaded in the environment (or the profile passed as
aws_rds_iam_profile
) to have the capability to get the RDS credentials.In our use case, we run this in conjunction with the AWS provider. We do not configure the AWS role running terraform to get the RDS password, but instead, we have a intermediate role that can be assumed for that.
In order to support this use-case, the prostgres provider should support assuming a role before generating the RDS password.
Terraform Version
n/a
Affected Resource(s)
All resources, this is provider auth
Expected Behavior
I propose this configuration:
On execution, the provider will:
my_rds_instance_master_role
Alternatively, pass a list of roles:
On execution, the provider will:
arn:aws:iam::123456789:role/account_admin
, thenmy_rds_instance_master_role
This is really handy if you have a umbrella account/user and want to first assume some intermediate admin role, then the role that can connect to the RDS instance.