AWS SSO with Terraform
If you’ve had to configure AWS SSO for authenticating terraform then you know the set up can be a pain. This is due to terraform not working with the new AWS config format (issue here https://github.com/hashicorp/terraform/issues/32465)
Here are two ways I’ve used to get it working:
Run aws configure sso with the following values:
Now set your environment to use the newly created profile:
And login:
Older Versions of Terraform (< 1.6)
Older versions of Terraform didn't support the AWS config in the format that the AWS CLI generated it, so you had to make changes manually. These are no longer requred in version 1.6, but I'll keep the instructions here for reference.
Edit your ~/.aws/config to work around this issue: https://github.com/hashicorp/terraform/issues/32465
Run:
You should see the following approval page. If you see a different page, it likely won't work. If this happens double check you have removed sso_session from the profile section before running aws sso login
If you are seeing errors like this:
It’s probably because you haven’t removed the sso_session line. It might also be worthwhile clearing your credentials cache: rm -rf ~/.aws/sso
Alternate (AWS-Vault)
Using AWS-Vault can simplify the above.
This step goes after aws configure ssoand replaces all other steps.
First install AWS Vault (https://github.com/99designs/aws-vault)
Once we have created the profile we can create a shell with this auth:
If you'd like to see a working example of using SSO and OIDC we've created an example repo walking you through the setup. Also in that repo we talk about Overmind.
If you’d like to give this a try yourself you can sign up for a free Overmind account here.
Or join our Discord to join in on the discussion of the next wave of devops tools.