3

I have AWS subaccounts for development, QA and production under a main account that controls all of our route53 zones. I manage everything with Terraform. I use STSAssumeRole Cross account roles from that main account to access the sub accounts. I use the role arn's in my .aws/config file, and tell the aws provider to use the profile of the account I want to use.

Currently, I'm trying to figure out how to allow terraform to create or modify route53 zones in that parent account while running using the profile of one sub accounts (which assumes an sts role).

I get the following error when I try to apply my route53 resource: "aws_route53_record.default: AccessDenied: User: arn:aws:sts::ID-OF-SUB-ACCOUNT:assumed-role/Cross-Production/COMPANYNAME-prod-01-awsume-session is not authorized to access this resource status code: 403, request id: BLAHBLAHBLAH"

I use awsume to swap my profile env's on the fly when I don't want to specify --profile on the command line.

I need to figure out a way to tell terraform to assume another role, or to stop assuming it's current role (which will put it back into it's admin user on the main account). Not really sure how to go about doing that though. Any suggestions?

AlexV
  • 31
  • 1
  • 3

1 Answers1

4

Terraform supports multiple providers

provider.tf

# default provider
provider "aws" {
  access_key = "foo"
  secret_key = "bar"
  region     = "us-east-1"
}

provider "aws" {
     alias  = "aws-assume"
     assume_role {
        role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
        session_name = "SESSION_NAME"
        external_id  = "EXTERNAL_ID"
     }
 }

and in the resource use 

resource "aws_instance" "foo" {
  provider = "aws.aws-assume"

  # ...
}
johntellsall
  • 153
  • 5
strongjz
  • 822
  • 4
  • 7