Closed tristankenney closed 3 years ago
Happy New Year!
I believe that TFLint supports shared credentials files. https://github.com/terraform-linters/tflint/blob/v0.22.0/docs/guides/credentials.md#shared-credentials Can you give me a link to the official AWS documentation etc. about what config is not available?
Currently, AWS rule implementation is in transition. Questions about the current released version are OK in this repository, but feature requests and bug reports should be sent to the ruleset repository :)
Thanks for your response!
My query is a bit more specific. Shared credentials files work when using permanent credentials issued against a user.
e.g. if we were using a profile named engineering
, the shared credentials might look something like:
[engineering]
aws_access_key_id=ASXXXXXXXXXXXXX
aws_secret_access_key=GZXXXXXXXXXXXXXXXXXX
However, our setup is slightly different and uses temporary credentials supplied via STS (this is a side-effect of using SSO for our AWS accounts in a developer context).
As a consequence in our context, our shared credential file looks slightly different:
[engineering]
aws_access_key_id=ASXXXXXXXXXXXXX
aws_secret_access_key=GZXXXXXXXXXXXXXXXXXX
aws_session_token="FwXXXXXXXX"
When using STS issued credentials, aws_session_token
also needs to be supplied to the AWS SDK to successfully authenticate.
Therefore to support STS within tflint, there would need to be additions config.go, client.go etc.
I'm happy to submit a PR to add token support if that's going to make your lives easier :)
Also, let me know if I should be moving this issue as it definitely feels like it's in feature request territory
Thank you for explaining. Understood. I'm happy to review your pull requests if you submit them.
If you have similar settings in Terraform, it may be better to change implementation to get the config rather than extend the TFLint configuration syntax. https://registry.terraform.io/providers/hashicorp/aws/latest/docs#token
By the way, AWS_SESSION_TOKEN
may work.
I've tested this with AWS_SESSION_TOKEN
and it works perfectly. Given that, we'll just use env vars for auth rather than the shared credential file.
As such, we really don't need to modify the ruleset and I'll close this one off :)
Thank you for pointing me in the right direction!
Happy New Year!
It seems that a shared credentials file containing STS-generated credentials cannot be currently used (as the SessionToken isn't passed to the S3 client).
Would it be possible to have this added?
P.S. I wasn't sure if I should submit here or against tflint-ruleset-aws. Let me know if I should move this issue :)