AWS¶
Advanced support has been added for the AWS provider with the options see below. The examples for each type of credential are below, further documentation on how to use the Scalr provider to manage configurations can be found here.
Service Trusted Entities¶
Service trusted entities give you the ability to add roles with AWS service trusts . In this case, a role is added to a Scalr agent and no credentials are needed in Scalr at all. This allows using different roles for different workspaces on a single server used for the agent. This will not require wide permissions assigned to the VM instance profile.
For example:
resource "scalr_provider_configuration" "aws" {
name = "aws_service_example"
account_id = "acc-sscctbisjk12345"
export_shell_variables = false
environments = ["*"]
aws {
account_type = "regular"
credentials_type = "role_delegation"
trusted_entity_type = "aws_service"
role_arn = "arn:aws:iam::670025221234:role/service_agent"
}
}
Scalr Account Trusted Entity¶
Scalr account trusted entity credentials use IAM roles that have a trusted relation with a Scalr AWS account, specifically
919814621061
. No keys are needed, just the trust.
resource "scalr_provider_configuration" "aws" {
name = "aws_account_example"
account_id = "acc-sscctbisjk13345"
export_shell_variables = false
environments = ["*"]
aws {
account_type = "regular"
credentials_type = "role_delegation"
trusted_entity_type = "aws_account"
role_arn = "arn:aws:iam::6700252123456:role/user"
external_id = "dOtbGEdaiXD12345"
}
}
The role must be created in AWS and the ARN of the role entered into Scalr as seen above.
Please refer to IAM Role Delegation for details of setting up the role with a trusted relationship to the Principal account shown on the credentials screen. The external ID shown must be used in the role configuration.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::919814621061:user/scalr-saas" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<external-id>" } } } ] } |
Temporary Credentials¶
Temporary AWS credentials give you the ability to always use a new set of keys in each Terraform run. To use temporary keys, a primary access and secret key must be added to Scalr and then Scalr will automatically generate temporary keys for each run. The keys are deleted after 2 hours or after the plan or apply times out.
resource "scalr_provider_configuration" "aws" {
name = "temp_creds"
account_id = "acc-sscctbisjkl1234"
export_shell_variables = false
environments = ["*"]
aws {
account_type = "regular"
credentials_type = "access_keys"
secret_key = "<secret_key>"
access_key = "<access_key>"
}
}
Account Trusted Entity¶
What are the best practices: create new user with terraform Create new keys with terraform Create new role and make this user as trusted entity Assign limited permissions Registered that role in Scalr
Account trusted entities are different than the Scalr account trusted entities in that you are not adding the Scalr AWS account as the trusted entity. In this case, you are creating an AWS user, creating a new role, sharing the rule trust with the user and then adding the user with the credentials in Scalr. See more on IAM Role Delegation.
resource "scalr_provider_configuration" "aws" {
name = "aws_account_example"
account_id = "acc-sscctbisjk13345"
export_shell_variables = false
environments = ["*"]
aws {
account_type = "regular"
credentials_type = "role_delegation"
trusted_entity_type = "aws_account"
access_key = "<access-key>"
secret_key = "<secret-key>"
role_arn = "arn:aws:iam::6700252123456:role/user"
external_id = "dOtbGEdaiXD12345"
}
}