Guide to configuring AWS SSO with Terraform

AWS SSO with Terraform

If you’ve had to configure AWS SSO for authenticating terraform then you know the set up can be a pain. This is due to terraform not working with the new AWS config format (issue here https://github.com/hashicorp/terraform/issues/32465)

Here are two ways I’ve used to get it working:

Run aws configure sso with the following values:

* SSO session name: `terraform-example`
* SSO start URL: `https://{something}.awsapps.com/start#/`
  * Your AWS SSO login start page. This is the page that lists all of your AWS accounts and you select the one you want to log in to
* SSO region: `eu-west-2`
  * Replace with your normal region
* SSO registration scopes [sso:account:access]: Leave default
* CLI profile name [AWSAdministratorAccess-123456789012]: terraform-example

Now set your environment to use the newly created profile:

export AWS_PROFILE=terraform-example

And login:

aws sso login

Older Versions of Terraform (< 1.6)

Older versions of Terraform didn't support the AWS config in the format that the AWS CLI generated it, so you had to make changes manually. These are no longer requred in version 1.6, but I'll keep the instructions here for reference.

Edit your ~/.aws/config to work around this issue: https://github.com/hashicorp/terraform/issues/32465

[profile terraform-example]
; Copy sso_start_url and sso_region from below and
; paste them in the "profile" section
sso_start_url = https://{something}.awsapps.com/start#/
sso_region = eu-west-2

; Delete this sso_session line entirely 
sso_session = terraform-example

sso_account_id = 123456789012
sso_role_name = AWSAdministratorAccess
region = eu-west-2
output = json

[sso-session terraform-example]
sso_start_url = https://{something}.awsapps.com/start#/
sso_region = eu-west-2
sso_registration_scopes = sso:account:access

Run:

aws sso login

You should see the following approval page. If you see a different page, it likely won't work. If this happens double check you have removed sso_session from the profile section before running aws sso login

If you are seeing errors like this:

$ terraform init

Initializing the backend...
Initializing modules...
╷
│ Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.
│ 
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│ 
│ Error: SSOProviderInvalidToken: the SSO session has expired or is invalid
│ caused by: open /home/vscode/.aws/sso/cache/e9cb0c545483ed70f1ec2b95c02cec942879a3a1.json: no such file or directory
│

It’s probably because you haven’t removed the sso_session line. It might also be worthwhile clearing your credentials cache: rm -rf ~/.aws/sso

Alternate (AWS-Vault)

Using AWS-Vault can simplify the above.

This step goes after aws configure ssoand replaces all other steps.

First install AWS Vault (https://github.com/99designs/aws-vault)

Once we have created the profile we can create a shell with this auth:

aws-vault exec terraform-example

If you'd like to see a working example of using SSO and OIDC we've created an example repo walking you through the setup. Also in that repo we talk about Overmind.

If you’d like to give this a try yourself you can sign up for a free Overmind account here.

Or join our Discord to join in on the discussion of the next wave of devops tools.