Allow AssumeRole with WebIdentity in provider's configuration

[mwieczorek]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'd like to propose better support for AssumeRoleWithWebIdentity in provider configuration.

Context

Recent changes in Github Actions allow using GHA issued JWT token to access AWS (using AssumeRoleWithWebIdentity). I'd like to be able to use JWT to configure provider (or rather multiple providers) and authenticate using AssumeRoleWithWebIdentity.

Currently, it is possible to leave assume_role block empty and use standard environment variables AWS_ROLE_ARN / AWS_WEB_IDENTITY_TOKEN_FILE and access AWS this way. But this solution won't work if we'd like to use two or more provider configurations in one Terraform plan but with different roles to assume. (f.e. we want to create and accept VPC peering in one TF plan, or setup Route53 hosted zone delegation to another account, etc.)

Proposed solution

Extend provider's configuration, in particular assume_role block, by adding web_identity_token argument. Example:

provider "aws" {
  assume_role {
    role_arn = "arn:aws:iam::123456789012:role/my-role"
    web_identity_token = var.web_identity_token
  }
}

If web_identity_token is empty, the provider will behave as it does right now.
In case web_identity_token is not empty, the provider will use AssumeRoleWithWebIdentity (instead of AssumeRole) to authenticate, in this case, no AWS credentials are required.

Additional notes

As an alternative solution, we could add a new block like assume_role_with_webidentity to the provider's configuration as not all arguments in assume_role are supported in AssumeRoleWithWebIdentity. I'd prefer to reuse the existing block and add validation to exclude some of the arguments when web_identity_token is passed.

I looked into the code (if possible/desired I could prepare a PR) and I understand that it will be required to extend https://github.com/hashicorp/aws-sdk-go-base. I plan to open an issue there too when I'll get feedback for this issue.

References

• https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
• https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

[gdavison]

Thanks for creating this issue, @mwieczorek. Technically, our guidelines suggest that there should be separate assume_role and assume_role_with_webidentity (and assume_role_with_saml) blocks. However, combining them in this case would be a better interface.

[mwieczorek]

Thanks @gdavison for the feedback.
If what I describe makes sense and can be considered as a new feature of the provider, I'll create a related issue in https://github.com/hashicorp/aws-sdk-go-base

[mwieczorek]

Hi @gdavison
PR in aws-sdk-go-base is merged. What can be the next steps for this feature request?
I guess we need to wait for a release/tag of aws-sdk-go-base. But I think I also read somewhere that any changes in the provider's authentication can be released only in major version.
Does it make sense to start work on it? (I could prepare a PR for that too, but prefer to ask in case you have planned other changes in this area)

[github-actions]

This functionality has been released in v4.12.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[Lincon-Freitas]

This looks really nice! @mwieczorek have you ever managed to use two different IAM roles using GitHub OIDC?

I have openned another issue explaining a bit more what I am trying to do here: #24547

[mwieczorek]

hi @Lincon-Freitas
Today I had a chance to finally check the new feature and I think there's an issue. I don't use web_identity_token_file, but web_identity_token.
For provider config like

provider "aws" {
  assume_role_with_web_identity {
    role_arn           = "arn:aws:iam::123456789012:role/example"
    web_identity_token = var.token
  }
}

I get Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
I see your issue was labelled as 'bug' and assigned so probably we can expect a fix soon.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.