Amazon Web Services (AWS)ยป
Hint
This feature is only available to paid Spacelift accounts. Please check out our pricing page for more information.
Warning
Until Terraform and OpenTofu versions 1.6.0, the AWS S3 state backend did not support authenticating with OIDC.
If you need to use the AWS S3 state backend with older versions, you can use the following workaround:
- Add the following command as a
before_init
hook (make sure to replace<ROLE ARN>
with your IAM role ARN).
1 |
|
- Comment out the
role_arn
argument in thebackend
block. - Comment out the
assume_role_with_web_identity
section in the AWS provider block.
Alternatively, you can use the dedicated AWS Cloud Integration that uses AWS STS to obtain temporary credentials.
Configure Spacelift as an identity providerยป
You need to set up Spacelift as a valid identity provider for your AWS account. This is done by creating an OpenID Connect identity provider. You can do it declaratively using any of the IaC providers, programmatically using the AWS CLI, or with the console.
For illustrative purposes, we will use the console:
- Go to the AWS console and select the IAM service.
- Click Identity providers in the left-hand menu.
- Click Add provider in the top bar.
- Select OpenID Connect as the provider type.
- Click Get thumbprint. This is required by AWS and protects you from a certain class of MitM attacks.
Hint
Add iss to Provider URL and you will need to add aud to Audience.
Replace demo.app.spacelift.io
with the hostname of your Spacelift account.
Once created, the identity provider will be listed in the "Identity providers" table.
Add Spacelift OIDC as the role providerยป
You can click on the provider name to see the details. From here, you will also be able to assign an IAM role to this new identity provider:
- Click Assign role, and choose to create a new role.
- Click Web identity and select the new Spacelift OIDC provider as the trusted entity.
- Select the audience from the dropdown (there should only be one option).
- The rest of the process is the same as for any other role creation. Select the policies you want to attach to the role, and add tags and a description.
- Once you're done, click Create role.
If you go to your new role's details page, in the Trust relationships section you will notice that it is now associated with the Spacelift OIDC provider:
This trust relationship is very relaxed and will allow any stack or module in the demo
Spacelift account to assume this role. If you want to be more restrictive, you will want to add more conditions. For example, we can restrict the role to be only assumable by stacks in the production
space by adding the following condition:
1 2 3 |
|
Hint
You will need to replace demo.app.spacelift.io
with the hostname of your Spacelift account.
You can also restrict the role so only a specific stack can assume it, using the stack ID:
1 2 3 |
|
You can mix and match these to get the exact constraints you need. You can learn more about the intricacies of AWS IAM conditions in the official docs. Remember that AWS does not seem to support custom claims, so you will need to use the standard ones to do the matching (primarily sub
, as shown above).
Configure the Terraform providerยป
Once the Spacelift-AWS OIDC integration is set up, the Terraform provider can be configured without the need for any static credentials. The aws_role_arn
variable should be set to the ARN of the role that you want to assume:
1 2 3 4 5 6 |
|