Feature request: IAM Service Specific credentials

[honzous]

Hi guys,

Service specific credentials could be used for HTTPS access to CodeCommit right now, assuming wider usage later on.

Terraform Version

Terraform v0.11.2
+ provider.aws v1.8.0

Affected Resource(s)

• aws_iam_user

Terraform Configuration Files

Could be derived from https://docs.aws.amazon.com/IAM/latest/APIReference/API_ServiceSpecificCredential.html

Expected Behavior

resource "aws_iam_service_specific_credential" "codecommit" {
  service_name = "codecommit"
  username = "my_user"
}

[ghost]

Need that feature, too. We have a project with high security requirements and no service must call the internet directly (only using http proxies). To work with code commit, auto generated https git credentials are mandatory.

[colin-lyman]

+1

[colin-lyman]

As a short term workaround for anyone in need:

variable "AWS_USERS" {
  description = "List of AWS Users"
  type = "list"
  default = ["name.one","name.two"]
}

resource "aws_iam_user" "users" {
  name = "${element(var.AWS_USERS, count.index)}"
  count = "${length(var.AWS_USERS)}"
  provisioner "local-exec" {
    command = "aws iam create-service-specific-credential --user-name ${element(var.AWS_USERS, count.index)} --service-name codecommit.amazonaws.com >> credentials.txt"
  }
}

[samarone]

@colin-lyman thanks for your sugestion, works fine for me. I added more lines to policy entry

...
provisioner "local-exec" {
command = "aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AWSCodeCommitFullAccess --user-name ${element(var.AWS_USERS, count.index)}"
}
...

[dekimsey]

Note, these work-arounds don't really work very well because the API to manipulate the credentials will only display the ServicePassword field once during creation ala iam access keys.

There doesn't seem to be any way I can determine to have terraform hold on to that output since null_resource/local-exec doesn't have a way of saving it's output in the state.

It seems that an API update to include this as a managed resource is definitely required. If someone has a work-around that works well, I'd be very interested to see how it was accomplished.

edit: Additionally, local-exec's show the sensitive values in the logs.

[sethbacon]

@bflad Any way to bump this up? The work-around won't work on TF Cloud and I'd really like to be able to manage a service account for codecommit with terraform.

[arihantsurana]

Service specific credentials are also required to access aws managed cassandra. It would be great if there was a resource similar to aws_iam_access_keys that could also encrypt the secret so its available in tf output:

resource "aws_iam_service_specific_credential" "cassuser" {
  user    = "${aws_iam_user.lb.name}"
  pgp_key = "keybase:some_person_that_exists"
  service_name = "cassandra.amazonaws.com"
}

resource "aws_iam_user" "cassuser" {
  name = "cassuser"
  path = "/system/"
}

output "secret" {
  value = "${aws_iam_service_specific_credential.cassuser.encrypted_secret}"
}

[nicolebeaumont]

This would be a great feature, especially for aws keyspaces / cassandra

[samuelfaj]

Waiting for it!

[lithiumoxide]

With Keyspaces now a service on AWS I have a requirement for this feature, along with the option to return a password encrypted with a PGP key.

[andreynpetrov]

There doesn't seem to be any way I can determine to have terraform hold on to that output since null_resource/local-exec doesn't have a way of saving it's output in the state.

@dekimsey You can try to save output of "aws iam create-service-specific-credential..." to aws secret manager with "aws secretsmanager create-secret..." and then get it with terraform: "data.aws_secretsmanager_secret_version.myname"

[jverce]

Anyone looking at this? There's already a PR from a few months ago: #16185
I already took a look and the implementation looks good except for a few details, and it uses the native AWS SDK.

[sanarena]

Any update on this one?

[github-actions]

This functionality has been released in v4.1.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[sanarena]

worked!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.