-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include access_key, secret_key, and session_token in aws_caller_identity #8517
Conversation
This allows local-exec provisioners to be able to retrieve the credentials that the aws provider is using. Ex: ``` provider "aws" {} data "aws_caller_identity" "current" {} resource "null_resource" "my_resource" { provisioner "local-exec" { command = "some-command" environment { AWS_ACCESS_KEY_ID = "${data.aws_caller_identity.current.access_key}" AWS_SECRET_ACCESS_KEY = "${data.aws_caller_identity.current.secret_key}" AWS_SESSION_TOKEN = "${data.aws_caller_identity.current.session_token}" } } } closes: #8242 ```
Having a little trouble running tests on my dinky laptop. Will try again on a bigger machine when I get the chance. |
Hi , Can we have an update on this issue, is it good enough to be merged or is there anything still blocking in order for it to be reviewed and merge ? Thanks for clarification |
Any update on that? |
@bflad Is it possible to have this reviewed ? |
I wrote this PR, but having recently been more involved with my company's security organization, I don't believe that this is a good solution to the problem. Having keys stored in the tfstate, even if temporary, is a generally bad idea. Even worse, this implementation doesn't give users that may need aws_caller_identity a choice. Users could unwittingly publishing their potentially long-term keys through their tfstate into an unencrypted S3 bucket (or worse, Github!). A slightly better solution would be to break this out into a separate data resource that can be used explicitly to fetch keys for those that are unconcerned with the security implications. I mentioned that I had done this in my last comment in #8242. I will close this and open a new PR with those changes. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
This allows local-exec provisioners to be able to retrieve the
credentials that the aws provider is using.
Ex:
Community Note
Fixes #8242
Release note for CHANGELOG:
Output from acceptance testing: