Terraform: Deploying to Multiple AWS Accounts Using Terraform

It appears that Terraform does not accept/understand AWS profiles and only accepts AWS keys. Is this correct? I say this because when specifying a profile that has a key associated with it, Terraform is successfully able to plan and apply otherwise it throws this error:

```
Error refreshing state: 1 error(s) occurred:

• No valid credential sources found for AWS Provider.
  Please see https://terraform.io/docs/providers/aws/index.html for more information on
  providing credentials for the AWS Provider
  ````

Once again, here's what the provider block looks like:

provider "aws" {
region = "${var.region}"
profile = "${var.aws_profile}"
shared_credentials_file = "/Users/user/.aws/credentials"
}

Following up on this issue.

I recently did with with terraform latest. Here's what it looks like:

provider "aws" {
alias = "productmanagement"
access_key = "${var.productmanagement_access_key}"
secret_key = "${var.productmanagement_secret_key}"
region = "${var.region}"
}
provider "aws" {
alias = "prod"
access_key = "${var.prod_access_key}"
secret_key = "${var.prod_secret_key}"
region = "${var.region}"
}
Then using the providers...
resource "aws_lambda_permission" "apigw_lambda" {
provider = "aws.prod"
...
}
or
resource "aws_lambda_function" "snscminstanceprocessor" {
provider = "aws.productmanagement"
...
}

I didn't try profile\shared_credentials_file but the above didn't work right until I included the alias and then specified in each resource the provider to use for that resource. I could tell when I forgot to include the alias in the resource because the resource always ended up being created in the wrong account.

Not sure if this will help but hopefully it will!

thanks @KyronSr. This was a configuration issue and so I figured this one out. Here's what the working config looks like:

provider "aws"
region = "${var.region}"
profile = "${var.aws-profile}"
shared_credentials_file = "${pathexpand("~/.aws/credentials")}"
assume_role {
role_arn = "${var.profile-arn}"
}}

variable "aws-profile" {
description =
"This profile uses an ssh key-pair stored on the client aws config file."
default = "profile-name"
}

variable "profile-arns" {
description = "AWS profile ARNs."
default = {
us-west-2-test = "arn:aws:iam::acct-id:role/role-name"
us-west-2-live = "arn:aws:iam::acct-id:role/role-name"
}}

Note: the default profile is setup for cross account access which is why this config works for multiple accounts.

I did have an issue with Terraform parsing the "~" in the "shared_credentials_file" path but using "pathexpand" in the code above seems to work.

Thanks, @KyronSr. I was experiencing the same, followed your advice with a bit of modification, that I feel is more secure but is based on your approach, Turns out all I have to do is include following lines at the start of my terraform configuration

provider "aws" {
alias = "productmanagement"
profile = "your-aws-profile-name-for-productmanagement-account"
}
provider "aws" {
alias = "prod"
profile = "your-aws-profile-name-for-prod-account"
}

and reference profiles in resources intended to be deployed in each account, in the following fashion as mentioned by @KyronSr

Then using the providers...
resource "aws_lambda_permission" "apigw_lambda" {
provider = "aws.prod"
...
}
resource "aws_lambda_function" "snscminstanceprocessor" {
provider = "aws.productmanagement"
...
}

The only difference I can see in my code and @KyronSr code is I am not exposing my aws credentials via variables files

Thanks

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.