My use case is about Terraform, but this is more generally about managing an external app's access to AWS.
The Approach I want to Emulate
I'm coming from Azure so I'll start with what I know as a best practice authentication model in that context.
The approach that I have used in Azure is to create service principals in Azure AD. Each Terraform operator executes Terraform commands as a service principal, rather than as an individual identity. The Terraform operators using the service principal include individual users running Terraform locally and Azure DevOps pipelines running Terraform in the cloud. Subscriptions typically provide boundaries across environment contexts (Dev, Prod, etc.) and we setup a Terraform service principal per subscription.
Current AWS Setup
- I have created an AWS Organization for the new project.
- We are starting off simple. We have a management account for identities, and we have a Dev & Prod accounts. We will add Organization Units and more accounts later.
- We have IAM Identity Center user accounts rather than IAM user accounts.
Nothing is set in stone. Our main goal is to model best practices.
Requirements
My team and I need to run Terraform locally, and we need to run Terraform in the cloud using some type of pipeline context that is TBD. The pipeline's authentication model needs to be fully automated.
Ideally, we would like to run Terraform as the same identity in both contexts, with a service principal like identity, and then we have just that identity to manage permissions on.
The Question
What is the Terraform/AWS authentication best practice for my scenario, e.g. managing multiple accounts and running in local and cloud contexts?
Other Details
- We can run Terraform locally using AWS IAM Identity Center credentials. However, these credentials expire and require human interaction when we re-authenticate so I don't see how this approach would work in the pipeline context.
- I've seen some discussion that using IAM roles can be used for the pipeline scenario. My current understanding (which should be questioned) is that using IAM roles would lead to different authentication mechanisms. In the pipeline case, we would be using IAM, and our local operations would be based on permissions granted by IAM Identity Center. I think this means we would have to manage permissions separately for the IAM role and the IAM Identity Center Permission Set. As far as I know, an IAM Identity Center user cannot assume an IAM role.
- While I'm hoping that we can avoid managing multiple permission constructs, I primarily want to be using best practices in the AWS context.