- Define IAM user and iam assumable role
- Create assume role script
module "this" {
source = "github.com/bigflood/terraform-modules//modules/assume-role"
name = "infra-dev"
script_filename = "${path.module}/assume-role-bash.sh"
additional_role_policy_document = jsonencode({
"Version" = "2012-10-17",
"Statement" = [
{
"Action" = [
"iam:UpdateAssumeRolePolicy",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PassRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:Tag*",
],
"Effect" = "Allow",
"Resource" = "*"
}
]
})
tags = {
Terrraform = "true"
Environment = "dev"
}
}to run generated script, you need to enable MFA of IAM user(ex: infra-dev)
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html
$ ./assume-role.sh MFA_token$ ./assume-role.sh 123456
Expiration: 2022-02-22T22:22:22Z
...
$ (AWSCLI-assume-role) aws sts get-caller-identity
{
"UserId": "********:AWSCLI-assume-role",
"Account": "******",
"Arn": "arn:aws:sts::******:assumed-role/infra-dev-role/AWSCLI-assume-role"
}
$ (AWSCLI-assume-role) exit
$ aws sts get-caller-identity
{
"UserId": "********",
"Account": "******",
"Arn": "arn:aws:iam::******:user/infra-dev"
}- terraform
- jq
- awscli
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Desired name for the IAM user | string |
n/a | yes |
| additional_role_policy_document | additional policy document for assumable role | string |
"" |
no |
| script_filename | assume role script filename | string |
"" |
no |
| max_session_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number |
3600 | no |
| tags | A map of tags to add to all resources. | map(string) |
{} |
no |