AWS

Advanced support has been added for the AWS provider with the options see below. The examples for each type of credential are below, further documentation on how to use the Scalr provider to manage configurations can be found here.

Service Trusted Entities

Service trusted entities give you the ability to add roles with AWS service trusts NEWWIN. In this case, a role is added to a Scalr agent and no credentials are needed in Scalr at all. This allows using different roles for different workspaces on a single server used for the agent. This will not require wide permissions assigned to the VM instance profile.

For example:

resource "scalr_provider_configuration" "aws" {
  name                   = "aws_service_example"
  account_id             = "acc-sscctbisjk12345"
  export_shell_variables = false
  environments           = ["*"]
  aws {
    account_type         = "regular"
    credentials_type     = "role_delegation"
    trusted_entity_type  = "aws_service"
    role_arn             = "arn:aws:iam::670025221234:role/service_agent"
  }
}

Scalr Account Trusted Entity

Scalr account trusted entity credentials use IAM roles that have a trusted relation NEWWIN with a Scalr AWS account, specifically 919814621061. No keys are needed, just the trust.

resource "scalr_provider_configuration" "aws" {
  name                   = "aws_account_example"
  account_id             = "acc-sscctbisjk13345"
  export_shell_variables = false
  environments           = ["*"]
  aws {
    account_type        = "regular"
    credentials_type    = "role_delegation"
    trusted_entity_type = "aws_account"
    role_arn            = "arn:aws:iam::6700252123456:role/user"
    external_id         = "dOtbGEdaiXD12345"
  }
}

The role must be created in AWS and the ARN of the role entered into Scalr as seen above.

Please refer to IAM Role Delegation NEWWIN for details of setting up the role with a trusted relationship to the Principal account shown on the credentials screen. The external ID shown must be used in the role configuration.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Principal": {
               "AWS": "arn:aws:iam::919814621061:user/scalr-saas"
           },
           "Action": "sts:AssumeRole",
           "Condition": {
               "StringEquals": {
                   "sts:ExternalId": "<external-id>"
               }
           }
       }
   ]
}

Temporary Credentials

Temporary AWS credentials NEWWIN give you the ability to always use a new set of keys in each Terraform run. To use temporary keys, a primary access and secret key must be added to Scalr and then Scalr will automatically generate temporary keys for each run. The keys are deleted after 2 hours or after the plan or apply times out.

resource "scalr_provider_configuration" "aws" {
  name                   = "temp_creds"
  account_id             = "acc-sscctbisjkl1234"
  export_shell_variables = false
  environments           = ["*"]
  aws {
    account_type     = "regular"
    credentials_type = "access_keys"
    secret_key       = "<secret_key>"
    access_key       = "<access_key>"
  }
}

Account Trusted Entity

What are the best practices: create new user with terraform Create new keys with terraform Create new role and make this user as trusted entity Assign limited permissions Registered that role in Scalr

Account trusted entities are different than the Scalr account trusted entities in that you are not adding the Scalr AWS account as the trusted entity. In this case, you are creating an AWS user, creating a new role, sharing the rule trust with the user and then adding the user with the credentials in Scalr. See more on IAM Role Delegation.

 resource "scalr_provider_configuration" "aws" {
  name                   = "aws_account_example"
  account_id             = "acc-sscctbisjk13345"
  export_shell_variables = false
  environments           = ["*"]
  aws {
    account_type        = "regular"
    credentials_type    = "role_delegation"
    trusted_entity_type = "aws_account"
    access_key          = "<access-key>"
    secret_key          = "<secret-key>"
    role_arn            = "arn:aws:iam::6700252123456:role/user"
    external_id         = "dOtbGEdaiXD12345"
  }
}