Closed ijaveed closed 5 years ago
One option is to assume different roles in your Terraform code using assume_role in the AWS provider. You then authenticate to some account that has permissions to assume either role and Terraform will do the rest.
I tried adding the following to the terraforms main.yml
assume_role { role_arn = "arn:aws:iam::ACCOUNT_NUMBER_B:role/SuperAdmin" session_name = "ops-profile" external_id = "ops-profile" }
I still had the TERRAGRUNT_IAM_ROLE=AWS_ARN exported which pointed to Account A?
but received...
Error: Error refreshing state: 1 error(s) occurred:
provider.aws: The role "arn:aws:iam::ACCOUNT_NUMBER_B:role/SuperAdmin" cannot be assumed.
There are a number of possible causes of this - the most common are:
I forgot to mention, I am also looking up a value in Account A from a state file...
I managed to resolve this the way you stated, I had to allow the correct permission with the assume roles within IAM between the accounts,
works perfectly now, thank you
Can terragrunt use named profiles in the modules backends explicitly? For my use case, I don't want to set environment credentials in advance, I want terragrunt to do it in the same way terraform does.
i.e.
provider "aws" {
profile = "${var.aws_profile}"
region = "${var.region}"
Can terragrunt use named profiles in the modules backends explicitly? For my use case, I don't want to set environment credentials in advance, I want terragrunt to do it in the same way terraform does.
i.e.
provider "aws" { profile = "${var.aws_profile}" region = "${var.region}"
This would be the dream!
Hi all
I want to know if there is a way I can switch AWS profiles in flight between my modules...
e.g
s3 Module --> Creates bucket in AWS Account A (dependant on s3 Module) r53 module --> Crerate Alias in AWS Account B
Is this even possible?
I currently am using TERRAGRUNT_IAM_ROLE=AWS_ARN which points to Account A?
Obviously this fails with Access denied when trying to create the ALIAS in Account B....
Thanks in advance!