4
votes

We are working on a requirement where we want terraform apply which runs on AWS EC2 instance to use IAM role instead of using credentials(accesskey/secretkey) as part of aws provider to create route53 in AWS. NOTE: IAM Role added to instance has been provided with policy which gives the role the route53fullaccess. When we use below syntax in terraform.tf, it works fine. We are able to create route. SYNTAX:

*provider "aws" {
access_key = "${var.aws_accesskey}
secret_key = "${var.aws_secretkey}
region = "us-east-1"
}
resource "aws_route53_record {}*

But, we want the terraform script to run with IAM Role and not with credentials. (Do not want to maintain credentials file) STEPS TRIED: 1. Removed provider block from terraform.tf file and run the build. SYNTAX: resource "aws_route53_record {} 2.Getting the below error. Provider.aws :InvalidClientTokenid. 3. Went through the terraform official documentation to use IAM Role. it says to use metadata api. but there is no working sample. (https://www.terraform.io/docs/providers/aws/index.html) Am new to Terraforms so pardon me if its a basic question. Can someone help with the code/working sample to achieve this ?

2
What if only remove the two lines with keys?Dusan Bajic
As @DusanBajic said, remove the 2 keys (access_key and secret_key) from your provider statement. If IAM role is attached to the instance, terraform will use the credentials (obtained from the role) to create the resources.krishna_mee2004
Did not try that option still. will try. Thanks both.Viddhiyartha

2 Answers

1
votes

You need to supply the profile arn in the "provider" block, not the role, like so :

provider "aws" { profile = "arn:aws:iam::<your account>:instance-profile/<your role name>" }

The 'role_arn' key mentioned in the answer above is actually invalid in the 'provider' context.

0
votes

Insert the following line for IAM role in your terraform script, in provider:

role_arn = "arn:aws:iam::<your account>:role/SQS-Role-demo"