Name: How to Use AWS IAM Identity Centre with Terraform
Uploaded: 2023-02-26T00:00:00Z
Description: Configure AWS IAM Identity Center for local CLI access and automate SSO credential management for seamless Terraform workflows

Transcript

Hi, my name is Stu and in this video I'm going to be showing you how to log in locally to the AWS CLI using IAM Identity Center and how to use this with Terraform. IAM Identity Center, if you're not aware what it is, it's just the replacement for AWS Single Sign-On or AWS SSO. IAM Identity Center allows us to connect to one or more accounts using a centralized login, whether this login is from Google, Microsoft, or any other provider.

So how do we use IAM Identity Center locally? Before we get started, make sure you have the latest AWS CLI installed. I have nothing configured in this setup so I'm going to walk through the exact steps I take to go from logging in all the way through to terraform plan.

To configure our local AWS CLI for SSO login, we need to run aws configure sso. If you're setting up multiple profiles then you want to add --profile and then the name of the profile that you want to configure. As you execute this command, follow the on-screen instructions for supplying the start URL, the region, the output, and any other details the CLI may ask you.

Once we have the CLI configured, we then need to run aws sso login. If you set up the profile using --profile above, you'll also need to log in with this. So your command will end up being aws sso login --profile and then the name of the profile that you want to use to log in. Multiple profiles are very handy if you have multiple AWS accounts. As you log in, a browser window may appear to authorize the local device. You may also be asked to allow the connection from your local machine.

Once logged in, we're free to start executing AWS commands. Note you may need to add the --profile to each command that you execute. Or if you're lazy like me, you can add an environment variable called AWS_PROFILE and then set the name of the profile that you want to use. Then you can do the commands you would normally do such as aws s3 ls.

In theory we now have everything that we need to execute commands and work with Terraform. If Terraform doesn't work locally for you then you're going to need to do a few extra steps which I'm going to go through now. When we go to our start URL we can select the account that we wish to access. From here we can select command line or programmatic access. We can then copy the credentials to our AWS credentials file and proceed to use Terraform as normal.

This is also a process that we can automate, which I'll show you now. The following steps work with the Terraform CLI and AWS CLI at the latest versions at the time of recording. For my Patreon supporters, you already have access to my AWS auth script which I use to log in and do a bunch of other things such as list accounts and account roles. You'll find the link for this in the description below.

When we log in via aws sso login, a file is created under the .aws directory under the sso/cache folder. This file contains an access token which is used to get credentials and work with the AWS CLI. We can reuse the same access token to grab the role credentials and store them in our credentials profile so that Terraform picks it up properly.

The way that the AWS CLI generates this SSO cache file isn't exactly obvious. We first need to look up one of two different values from the AWS config for the profile that we're trying to use. Once we have the value we can then pass it through a SHA-1 function and produce a hex digest string which is used as the file name. The first value we look for is something called sso_session. If this value is present then we will use this as the input to the hash function. Otherwise we will look for a parameter called sso_start_url and pass that into the hash function instead.

Once we have the access token from the SSO cache file, we can use the access token in a call to aws sso get-role-credentials. Here we need to pass in the role name, the account ID, and the access token. With the results returned, we can then make a series of calls to aws configure and set the appropriate values. This sets up our credentials file properly as if we were using an access key and secret key. Then we should be able to use Terraform as normal.

We can also use this access token to do two other things. The first is listing accounts and the second is listing the roles that we have access to in a single account. To list all of the accounts, we follow the same steps to get the access token from the SSO cache file and then we make a call to aws sso list-accounts, remembering to pass in the access token. If you have a lot of accounts you might want to consider adding the --no-paginate option.

The second command allows us to view all of the roles that we have access to inside of a single account. Again we follow the same path to get the access token from the SSO cache file. We can then make a call to aws sso list-account-roles. Here we need to pass in the access token plus the account ID. In return we'll get a list of the roles that we have access to inside of that account. Helper functions for both of these commands are included in my AWS auth script which is linked in my Patreon below.

If you enjoyed this video, consider subscribing to the YouTube channel for more content like this.