How do I run Terraform with AWS MFA?

amazon-web-services terraform authentication

7,425

Solution 1

The solution is to specify an assume_role statement:

provider "aws" {
  profile = "default"
  assume_role {
    role_arn = "arn:aws:iam::[ACCOUNT_ID]:role/terraform-test-role"
  }
}

Solution 2

The error message here is telling you that you are not allowed to enable MFADelete without having an authenticated token with mfa. Meaning the executing principal must have logged in with MFA.

essentially the API call on the cli would be something like this

aws --profile my_profile s3api put-bucket-versioning --bucket bucket-name --versioning configuration 'MFADelete=Enabled,Status=Enabled' --mfa 'arn:aws:iam::<account-id>:mfa/root-account-mfa-device <mfacode>

Note that only the root account MFA can do this (the bucket owner) not a standard user. As detailed here

A simple terraform config assuming its executing under the credentials the previous profile specified would be:

resource "aws_s3_bucket" "bucket" {
  bucket = "some_test_bucket"
  acl    = "private"
  
  versioning {
    enabled = true 
    mfa_delete = true
  }
}

Now so far so good, however, it should be noted that mfa_delete = true cannot toggle that setting, it is there to reflect the enabling of that in the state file only as mentioned in the docs

The correct way to set the mfa_delete to enabled is via the API yourself. As mentioned above as the provider cannot change it but has the state there to ensure its not going to change the state after it is set on a subsequent run (out of band terraform changes to enable with the API).

This answer assumes AWS provider v2.65.0 or higher

Solution 3

I was looking into a similar use case and found this github issue in the terraform public repo: https://github.com/terraform-providers/terraform-provider-aws/issues/629

As quoted in that issue: "Indeed it does seem like the Terraform AWS provider would need to do something special to make this work. As I noted in my other comment, we don't consider Terraform to be an interactive tool in general and so introducing extra interactive input in the apply phase is not ideal."

https://github.com/terraform-providers/terraform-provider-aws/issues/629#issuecomment-408937315

7,425

Strat-O

Updated on September 18, 2022

Comments

Strat-O over 1 year
I'm using Terraform with the terraform-provider-aws provider to manage my AWS infrastructure. I'm trying to enable mfa_delete on an S3 bucket, but when I try to apply the change I get this error:
```
1 error occurred:
        * aws_s3_bucket.logs: 1 error occurred:
        * aws_s3_bucket.logs: Error putting S3 versioning: AccessDenied: Mfa Authentication must be used for this request
        status code: 403, request id: <redacted>, host id: <redacted>
```
How can I run Terraform in a mode that uses multi-factor authentication? My IAM account has a Virtual MFA device attached, but that MFA isn't used when I'm terraforming because terraform uses the API Access Key associated with my account.
Strat-O about 4 years

I'm already using assume_role so I guess there's some additional detail I'm missing.