Terraform-provider-aws: Feature request: IAM Service Specific credentials
Hi guys,
Service specific credentials could be used for HTTPS access to CodeCommit right now, assuming wider usage later on.
Terraform Version
Terraform v0.11.2
+ provider.aws v1.8.0
Affected Resource(s)
- aws_iam_user
Terraform Configuration Files
Could be derived from https://docs.aws.amazon.com/IAM/latest/APIReference/API_ServiceSpecificCredential.html
Expected Behavior
resource "aws_iam_service_specific_credential" "codecommit" {
service_name = "codecommit"
username = "my_user"
}
honzous
All 10 comments
Need that feature, too. We have a project with high security requirements and no service must call the internet directly (only using http proxies). To work with code commit, auto generated https git credentials are mandatory.
fbe
on 7 Feb 2018
+1
colin-lyman
on 14 Feb 2018
As a short term workaround for anyone in need:
variable "AWS_USERS" {
description = "List of AWS Users"
type = "list"
default = ["name.one","name.two"]
}
resource "aws_iam_user" "users" {
name = "${element(var.AWS_USERS, count.index)}"
count = "${length(var.AWS_USERS)}"
provisioner "local-exec" {
command = "aws iam create-service-specific-credential --user-name ${element(var.AWS_USERS, count.index)} --service-name codecommit.amazonaws.com >> credentials.txt"
}
}
@colin-lyman thanks for your sugestion, works fine for me. I added more lines to policy entry
...
provisioner "local-exec" {
command = "aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AWSCodeCommitFullAccess --user-name ${element(var.AWS_USERS, count.index)}"
}
...
samarone
on 20 Feb 2019
Note, these work-arounds don't really work very well because the API to manipulate the credentials will only display the ServicePassword field once during creation ala iam access keys.
There doesn't seem to be any way I can determine to have terraform hold on to that output since null_resource/local-exec doesn't have a way of saving it's output in the state.
It seems that an API update to include this as a managed resource is definitely required. If someone has a work-around that works well, I'd be very interested to see how it was accomplished.
edit: Additionally, local-exec's show the sensitive values in the logs.
dekimsey
on 5 Sep 2019
@bflad Any way to bump this up? The work-around won't work on TF Cloud and I'd really like to be able to manage a service account for codecommit with terraform.
sethbacon
on 21 Nov 2019
Service specific credentials are also required to access aws managed cassandra. It would be great if there was a resource similar to aws_iam_access_keys that could also encrypt the secret so its available in tf output:
resource "aws_iam_service_specific_credential" "cassuser" {
user = "${aws_iam_user.lb.name}"
pgp_key = "keybase:some_person_that_exists"
service_name = "cassandra.amazonaws.com"
}
resource "aws_iam_user" "cassuser" {
name = "cassuser"
path = "/system/"
}
output "secret" {
value = "${aws_iam_service_specific_credential.cassuser.encrypted_secret}"
}
arihantsurana
on 15 Jan 2020
This would be a great feature, especially for aws keyspaces / cassandra
nicolebeaumont
on 10 Aug 2020
Waiting for it!
samuelfaj
on 1 Oct 2020
With Keyspaces now a service on AWS I have a requirement for this feature, along with the option to return a password encrypted with a PGP key.
lithiumoxide
on 10 Nov 2020
Related issues
EmmN
路
3Comments
dvishniakov
路
3Comments
gothrek22
路
3Comments
modax
路
3Comments
hashibot
路
3Comments
Most helpful comment
Service specific credentials are also required to access aws managed cassandra. It would be great if there was a resource similar to aws_iam_access_keys that could also encrypt the secret so its available in tf output: