Terraform: S3 backend: Support policy ARNs argument for assume role configuration

Created on 27 Aug 2019  ยท  5Comments  ยท  Source: hashicorp/terraform

The assume_role configuration block for the S3 backend supports passing in a scoped down policy for the role session via the assume_role_policy argument.

In addition to the Policy parameter that passes a single inline policy, the STS API also supports a PolicyArns parameter that allows passing up to 10 policy ARNs for the role session.

I propose adding an assume_role_policy_arns argument to both the S3 backend and the Terraform remote state data source. This would allow more flexibility in scoping down role sessions.

The existing support for passing a JSON string provides no validation and swallows errors with a generic AccessDenied, so it can be difficult to debug if issues are actually due to permissions or if there is a simple syntax/validation issue with the passed policy. Alternately, specifying policy ARNs allows that policy validation to happen in another context.

References:

backens3 enhancement
Source
picture timoguin

Most helpful comment

Support for this enhancement has been merged for the S3 Backend and will release with version 0.13.0-beta2 of Terraform.

picture bflad on 5 Jun 2020
🚀1 🎉1 👍1

All 5 comments

Thanks for sharing this use-case, @timoguin!

The S3 backend builds on the authentication mechanisms supported by the AWS provider, so if the AWS provider doesn't already offer the feature you're requesting, it'd be better to open a Feature Request in the AWS provider and then once it's implemented over there we can bring that same functionality into the S3 backend.

teamterraform picture teamterraform on 27 Aug 2019

Thanks. It looks like the S3 backend and the AWS provider actually use the shared aws-sdk-go-base library. I've opened an issue there, along with one for the AWS provider.

Issues:

  • hashicorp/aws-sdk-go-base#11
  • terraform-providers/terraform-provider-aws#9898
timoguin picture timoguin on 27 Aug 2019

~Unfortunately, this isn't supported yet by the AWS Go SDK. I created an issue: aws/aws-sdk-go#2794.~

Edit to the above message: Support in the Go SDK is present. See my comment on a related issue for the aws-go-sdk-base for more detail: https://github.com/hashicorp/aws-sdk-go-base/issues/11#issuecomment-530051482

timoguin picture timoguin on 28 Aug 2019

Support for this enhancement has been merged for the S3 Backend and will release with version 0.13.0-beta2 of Terraform.

bflad picture bflad on 5 Jun 2020
🚀1 🎉1 👍1

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 6 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

franklinwise picture franklinwise  ยท  3Comments
shanmugakarna picture shanmugakarna  ยท  3Comments
cpoole picture cpoole  ยท  3Comments
rkulagowski picture rkulagowski  ยท  3Comments
pawelsawicz picture pawelsawicz  ยท  3Comments