Open hashibot opened 7 years ago
The current provider initialization process almost always reaches out to STS/IAM to try to determine the current account ID since there is no way to determine it from the credentials themselves (unless its something like an assume role ARN in the provider configuration). We provide a provider configuration to skip this fetch, however there are a lot of resources that require this account ID to already be configured in the provider for manually building ARN attributes that the AWS API does not return.
There are definitely varying use cases when dealing with multiple AWS accounts for which aws_caller_identity
might be extraneous with its extra STS API call. Could you explain your use cases here so we have a better sense of how to help?
That said, I have some ideas here from when I was working with multiple AWS accounts myself that could be implemented in the provider to help for these situations:
aws_account_id
data source, that solely returns the AWS account ID already determined from the provider configuration without an extra STS API call for the data source itself. The ID might have already been determined from something like EC2/ECS metadata.account_id
or aws_account_id
attribute on specific resources or as a meta-attribute across all attributes of the provider, then you can grab these from output
/terraform_remote_state
as necessary.In the end, its likely the second option above that would provide the best user experience since it offers the value easily for downstream resources/modules. Feedback would be appreciated. 😄
@bflad I was looking for the proper way to get the AWS account ID as well, in this case we're using assume_role
and I want the account id matching with the assumed role. To me a data source sounds like the most obvious way to get this info.
Also, I'm not sure if it wouldn't already be possible to get this from https://www.terraform.io/docs/providers/aws/d/caller_identity.html, haven't tried which account ID it returns.
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
Don't think this has been fixed/addressed yet?
Facing the same issue. Is there a workaround for this or a way to hard code the account id?
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
we are having this same issue here, please fix aws_caller_identity
looks related to https://github.com/hashicorp/terraform-provider-aws/issues/26043
EDIT: found a workaround by doing:
data "external" "get-caller-identity" {
program = ["aws", "sts", "get-caller-identity"]
}
locals {
callerArn = data.external.get-caller-identity.result.Arn
}
This issue was originally opened by @devinsba as hashicorp/terraform#10226. It was migrated here as part of the provider split. The original body of the issue is below.
Terraform Version
Terraform v0.7.10
Affected Resource(s)
Terraform Configuration Files
Debug Output
Important Factoids
We have some tight ACLs, wondering if theres a way to get this without access to the IAM endpoints