Skip to content

SSO

Terraform Provider with Dynamic AWS Role or SSO

Terraform Providers can sometimes be a bit clunky when you are working locally vs what your final pipeline configuration will be. For instance, often an AWS role will be limited to pipeline access and not allowed to be assumed by users for security reasons. Users will have to authenticate with their SSO roles for any actions they perform instead.

While Terraform supports this with the profile = <your-sso-profile> configuration, this means setting specific values in your local development, remembering to change those before committing/pushing to your project, etc.

Now, there is way you can get the best of both worlds, with dynamic "assume_role" and some clever logic!

AWS SSO with Terraform and Secrets Manager

You can find the latest code for this project on GitHub: https://github.com/shadetree-dev/terraform-aws-sso-permission-sets-example

We'll go through a few stages in this journey to get there:

  1. Bitch about SSO a bit and why it's such a burden to deal with
  2. Delegate an administrator for IAM Identity Center (SSO)
  3. Set up some AWS Secrets Manager secrets to pull dynamically from (avoid hard-coding)
  4. Write some Terraform and apply it!