2017-08-15 95 views
2

我想爲Terraform執行MFA,因此需要爲每個terraform [command]從我的虛擬MFA設備詢問6位令牌。閱讀文檔後: cli-roles terraform mfa 我創建了一個角色:如何爲Terraform配置AWS MFA?

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "arn:aws:iam::[ACCOUNT_ID]:user/testuser" 
     }, 
     "Action": "sts:AssumeRole", 
     "Condition": { 
     "Bool": { 
      "aws:MultiFactorAuthPresent": "true" 
     } 
     } 
    } 
    ] 
} 

該用戶被強制默認使用MFA和我有一個配置的虛擬MFA設備他。

〜/ .aws /憑證:

[default] 
... 

[terraform_role] 
role_arn = arn:aws:iam::[ACCOUNT_ID]:role/terraform-test-role 
source_profile = default 
mfa_serial = arn:aws:iam::[ACCOUNT_ID]:mfa/testuser 
我Terraform環境

我把以下內容:

provider "aws" { 
    profile = "terraform_role" 
} 

但是當我運行terraform plan它將引發我一個錯誤:

Error refreshing state: 1 error(s) occurred: 

* provider.aws: No valid credential sources found for AWS Provider. 
    Please see https://terraform.io/docs/providers/aws/index.html for more information on 
    providing credentials for the AWS Provider 
+0

是否創建了一個說明配置文件的'.config'文件? – Malice

+0

@Malice在我的'〜/ .aws/config'文件中我只有'[default] region = us-east-1 output = json' contents –

+0

您需要爲'terraform_role'創建一個新的配置文件 – Malice

回答

1

解決方案是指定assume_role語句:

provider "aws" { 
    profile = "default" 
    assume_role { 
    role_arn = "arn:aws:iam::[ACCOUNT_ID]:role/terraform-test-role" 
    } 
}