2014-07-23 20:50:41 +02:00
---
layout: "aws"
page_title: "Provider: AWS"
sidebar_current: "docs-aws-index"
2014-10-22 05:21:56 +02:00
description: |-
The Amazon Web Services (AWS) provider is used to interact with the many resources supported by AWS. The provider needs to be configured with the proper credentials before it can be used.
2014-07-23 20:50:41 +02:00
---
# AWS Provider
2014-07-23 21:14:31 +02:00
The Amazon Web Services (AWS) provider is used to interact with the
many resources supported by AWS. The provider needs to be configured
with the proper credentials before it can be used.
Use the navigation to the left to read about the available resources.
## Example Usage
2017-04-07 17:54:28 +02:00
```hcl
2014-07-23 21:14:31 +02:00
# Configure the AWS Provider
provider "aws" {
2017-02-18 23:48:50 +01:00
access_key = "${var.aws_access_key}"
secret_key = "${var.aws_secret_key}"
region = "us-east-1"
2014-07-23 21:14:31 +02:00
}
# Create a web server
resource "aws_instance" "web" {
2017-02-18 23:48:50 +01:00
# ...
2014-07-23 21:14:31 +02:00
}
```
2016-11-17 12:52:06 +01:00
## Authentication
2016-01-27 23:30:03 +01:00
2016-11-17 12:52:06 +01:00
The AWS provider offers a flexible means of providing credentials for
2016-01-29 16:09:24 +01:00
authentication. The following methods are supported, in this order, and
explained below:
2016-01-27 23:30:03 +01:00
2016-01-29 16:09:24 +01:00
- Static credentials
- Environment variables
- Shared credentials file
2015-12-12 23:58:19 +01:00
- EC2 Role
2016-01-29 16:09:24 +01:00
### Static credentials ###
Static credentials can be provided by adding an `access_key` and `secret_key` in-line in the
2016-11-17 12:52:06 +01:00
AWS provider block:
2016-01-29 16:09:24 +01:00
2016-11-17 12:52:06 +01:00
Usage:
2016-01-29 16:09:24 +01:00
2017-04-17 12:17:54 +02:00
```hcl
2016-01-29 16:09:24 +01:00
provider "aws" {
region = "us-west-2"
access_key = "anaccesskey"
secret_key = "asecretkey"
}
```
2016-11-17 12:52:06 +01:00
### Environment variables
2016-01-29 16:09:24 +01:00
2016-11-17 12:52:06 +01:00
You can provide your credentials via the `AWS_ACCESS_KEY_ID` and
`AWS_SECRET_ACCESS_KEY` , environment variables, representing your AWS
Access Key and AWS Secret Key, respectively. The `AWS_DEFAULT_REGION`
and `AWS_SESSION_TOKEN` environment variables are also used, if
applicable:
2016-01-29 16:09:24 +01:00
2017-04-07 17:54:28 +02:00
```hcl
2016-01-29 16:09:24 +01:00
provider "aws" {}
```
Usage:
2017-04-07 17:54:28 +02:00
```hcl
2016-11-17 12:52:06 +01:00
$ export AWS_ACCESS_KEY_ID="anaccesskey"
2016-01-29 16:09:24 +01:00
$ export AWS_SECRET_ACCESS_KEY="asecretkey"
$ export AWS_DEFAULT_REGION="us-west-2"
$ terraform plan
```
2016-11-17 12:52:06 +01:00
### Shared Credentials file
2016-01-29 16:09:24 +01:00
2016-11-17 12:52:06 +01:00
You can use an AWS credentials file to specify your credentials. The
default location is `$HOME/.aws/credentials` on Linux and OS X, or
`"%USERPROFILE%\.aws\credentials"` for Windows users. If we fail to
detect credentials inline, or in the environment, Terraform will check
this location. You can optionally specify a different location in the
configuration by providing the `shared_credentials_file` attribute, or
in the environment with the `AWS_SHARED_CREDENTIALS_FILE` variable. This
method also supports a `profile` configuration and matching
`AWS_PROFILE` environment variable:
2016-01-29 16:09:24 +01:00
2016-11-17 12:52:06 +01:00
Usage:
2016-01-29 16:09:24 +01:00
2017-04-07 17:54:28 +02:00
```hcl
2016-01-29 16:09:24 +01:00
provider "aws" {
2017-02-18 23:48:50 +01:00
region = "us-west-2"
shared_credentials_file = "/Users/tf_user/.aws/creds"
profile = "customprofile"
2016-01-29 16:09:24 +01:00
}
```
2016-01-27 23:30:03 +01:00
2016-11-17 12:52:06 +01:00
### EC2 Role
2015-12-12 23:58:19 +01:00
If you're running Terraform from an EC2 instance with IAM Instance Profile
using IAM Role, Terraform will just ask
[the metadata API ](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials )
endpoint for credentials.
This is a preferred approach over any other when running in EC2 as you can avoid
2016-11-17 12:52:06 +01:00
hard coding credentials. Instead these are leased on-the-fly by Terraform
2015-12-12 23:58:19 +01:00
which reduces the chance of leakage.
2016-11-17 12:52:06 +01:00
You can provide the custom metadata API endpoint via the `AWS_METADATA_ENDPOINT` variable
which expects the endpoint URL, including the version, and defaults to `http://169.254.169.254:80/latest` .
2015-12-12 23:58:19 +01:00
2016-11-17 12:52:06 +01:00
### Assume role
2016-08-27 02:46:41 +02:00
2016-09-02 19:36:01 +02:00
If provided with a role ARN, Terraform will attempt to assume this role
2016-08-27 02:46:41 +02:00
using the supplied credentials.
Usage:
2017-04-07 17:54:28 +02:00
```hcl
2016-08-27 02:46:41 +02:00
provider "aws" {
2016-09-02 19:36:01 +02:00
assume_role {
2017-02-18 23:48:50 +01:00
role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
2016-09-02 19:36:01 +02:00
session_name = "SESSION_NAME"
2017-02-18 23:48:50 +01:00
external_id = "EXTERNAL_ID"
2016-09-02 19:36:01 +02:00
}
2016-08-27 02:46:41 +02:00
}
```
2014-07-23 21:14:31 +02:00
## Argument Reference
2015-03-04 02:35:54 +01:00
The following arguments are supported in the `provider` block:
2014-07-23 21:14:31 +02:00
2016-01-11 16:22:09 +01:00
* `access_key` - (Optional) This is the AWS access key. It must be provided, but
it can also be sourced from the `AWS_ACCESS_KEY_ID` environment variable, or via
a shared credentials file if `profile` is specified.
2014-07-23 21:14:31 +02:00
2016-01-11 16:22:09 +01:00
* `secret_key` - (Optional) This is the AWS secret key. It must be provided, but
it can also be sourced from the `AWS_SECRET_ACCESS_KEY` environment variable, or
via a shared credentials file if `profile` is specified.
2014-07-23 21:14:31 +02:00
* `region` - (Required) This is the AWS region. It must be provided, but
2016-01-11 16:22:09 +01:00
it can also be sourced from the `AWS_DEFAULT_REGION` environment variables, or
via a shared credentials file if `profile` is specified.
* `profile` - (Optional) This is the AWS profile name as set in the shared credentials
file.
2016-10-13 17:50:46 +02:00
* `assume_role` - (Optional) An `assume_role` block (documented below). Only one
2016-09-02 19:36:01 +02:00
`assume_role` block may be in the configuration.
2016-01-11 16:22:09 +01:00
* `shared_credentials_file` = (Optional) This is the path to the shared credentials file.
2016-11-17 12:52:06 +01:00
If this is not set and a profile is specified, `~/.aws/credentials` will be used.
2016-01-11 16:22:09 +01:00
* `token` - (Optional) Use this to set an MFA token. It can also be sourced
2016-09-14 11:18:47 +02:00
from the `AWS_SESSION_TOKEN` environment variable.
2015-03-04 02:31:45 +01:00
2016-11-17 12:52:06 +01:00
* `max_retries` - (Optional) This is the maximum number of times an API
call is retried, in the case where requests are being throttled or
experiencing transient failures. The delay between the subsequent API
calls increases exponentially.
2015-05-03 11:08:47 +02:00
2016-11-17 12:52:06 +01:00
* `allowed_account_ids` - (Optional) List of allowed, white listed, AWS
account IDs to prevent you from mistakenly using an incorrect one (and
potentially end up destroying a live environment). Conflicts with
`forbidden_account_ids` .
2015-04-20 00:54:42 +02:00
2016-11-17 12:52:06 +01:00
* `forbidden_account_ids` - (Optional) List of forbidden, blacklisted,
AWS account IDs to prevent you mistakenly using a wrong one (and
potentially end up destroying a live environment). Conflicts with
`allowed_account_ids` .
2015-04-20 00:54:42 +02:00
2016-11-17 12:52:06 +01:00
* `insecure` - (Optional) Explicitly allow the provider to
perform "insecure" SSL requests. If omitted, default value is `false` .
2016-02-08 16:04:13 +01:00
2016-11-17 12:52:06 +01:00
* `skip_credentials_validation` - (Optional) Skip the credentials
validation via the STS API. Useful for AWS API implementations that do
not have STS available or implemented.
2016-08-10 18:10:28 +02:00
2017-04-14 23:41:59 +02:00
* `skip_get_ec2_platforms` - (Optional) Skip getting the supported EC2
platforms. Used by users that don't have ec2:DescribeAccountAttributes
permissions.
2017-01-23 16:01:22 +01:00
* `skip_region_validation` - (Optional) Skip validation of provided region name.
Useful for AWS-like implementations that use their own region names
or to bypass the validation for regions that aren't publicly available yet.
2016-11-17 12:52:06 +01:00
* `skip_requesting_account_id` - (Optional) Skip requesting the account
ID. Useful for AWS API implementations that do not have the IAM, STS
API, or metadata API. When set to `true` , prevents you from managing
any resource that requires Account ID to construct an ARN, e.g.
2016-08-10 18:10:28 +02:00
- `aws_db_instance`
- `aws_db_option_group`
- `aws_db_parameter_group`
- `aws_db_security_group`
- `aws_db_subnet_group`
- `aws_elasticache_cluster`
- `aws_glacier_vault`
- `aws_rds_cluster`
- `aws_rds_cluster_instance`
- `aws_rds_cluster_parameter_group`
- `aws_redshift_cluster`
2016-11-17 12:52:06 +01:00
* `skip_metadata_api_check` - (Optional) Skip the AWS Metadata API
check. Useful for AWS API implementations that do not have a metadata
API endpoint. Setting to `true` prevents Terraform from authenticating
via the Metadata API. You may need to use other authentication methods
like static credentials, configuration variables, or environment
variables.
2016-08-10 18:10:28 +02:00
2016-11-17 12:52:06 +01:00
* `s3_force_path_style` - (Optional) Set this to `true` to force the
request to use path-style addressing, i.e.,
`http://s3.amazonaws.com/BUCKET/KEY` . By default, the S3 client will use
virtual hosted bucket addressing, `http://BUCKET.s3.amazonaws.com/KEY` ,
when possible. Specific to the Amazon S3 service.
2016-08-10 18:10:28 +02:00
2016-09-02 19:36:01 +02:00
The nested `assume_role` block supports the following:
* `role_arn` - (Required) The ARN of the role to assume.
* `session_name` - (Optional) The session name to use when making the
AssumeRole call.
* `external_id` - (Optional) The external ID to use when making the
2016-11-17 12:52:06 +01:00
AssumeRole call.
2016-09-02 19:36:01 +02:00
2017-02-18 23:48:50 +01:00
* `policy` - (Optional) A more restrictive policy to apply to the temporary credentials.
2017-01-29 21:32:24 +01:00
This gives you a way to further restrict the permissions for the resulting temporary
security credentials. You cannot use the passed policy to grant permissions that are
in excess of those allowed by the access policy of the role that is being assumed.
2016-09-02 19:36:01 +02:00
Nested `endpoints` block supports the following:
2016-02-08 16:04:13 +01:00
2017-04-15 03:36:05 +02:00
* `cloudwatch` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
custom CloudWatch endpoints.
* `cloudwatchevents` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
custom CloudWatchEvents endpoints.
* `cloudwatchlogs` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
custom CloudWatchLogs endpoints.
* `cloudformation` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
custom CloudFormation endpoints.
2017-04-07 16:02:39 +02:00
* `dynamodb` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
`dynamodb-local` .
* `kinesis` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
`kinesalite` .
2017-04-15 03:36:05 +02:00
* `kms` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
custom KMS endpoints.
2016-02-08 16:04:13 +01:00
* `iam` - (Optional) Use this to override the default endpoint
2015-12-11 16:27:49 +01:00
URL constructed from the `region` . It's typically used to connect to
2016-11-17 12:52:06 +01:00
custom IAM endpoints.
2015-12-11 16:27:49 +01:00
2016-02-08 16:04:13 +01:00
* `ec2` - (Optional) Use this to override the default endpoint
2015-12-11 16:27:49 +01:00
URL constructed from the `region` . It's typically used to connect to
2016-11-17 12:52:06 +01:00
custom EC2 endpoints.
2015-12-11 16:27:49 +01:00
2016-02-08 16:04:13 +01:00
* `elb` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
2016-11-17 12:52:06 +01:00
custom ELB endpoints.
2015-12-12 23:58:19 +01:00
2017-04-15 03:36:05 +02:00
* `rds` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
custom RDS endpoints.
2016-08-12 18:52:12 +02:00
* `s3` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
2016-11-17 12:52:06 +01:00
custom S3 endpoints.
2016-08-12 18:52:12 +02:00
2017-04-15 03:36:05 +02:00
* `sns` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
custom SNS endpoints.
* `sqs` - (Optional) Use this to override the default endpoint
URL constructed from the `region` . It's typically used to connect to
custom SQS endpoints.
2015-12-12 23:58:19 +01:00
## Getting the Account ID
If you use either `allowed_account_ids` or `forbidden_account_ids` ,
Terraform uses several approaches to get the actual account ID
2016-11-17 12:52:06 +01:00
in order to compare it with allowed or forbidden IDs.
2015-12-12 23:58:19 +01:00
2016-11-17 12:52:06 +01:00
Approaches differ per authentication providers:
2015-12-12 23:58:19 +01:00
* EC2 instance w/ IAM Instance Profile - [Metadata API ](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html )
2016-05-05 18:46:13 +02:00
is always used. Introduced in Terraform `0.6.16` .
2016-11-17 12:52:06 +01:00
* All other providers (environment variable, shared credentials file, ...)
2015-12-12 23:58:19 +01:00
will try two approaches in the following order
2016-11-17 12:52:06 +01:00
* `iam:GetUser` - Typically useful for IAM Users. It also means
2015-12-12 23:58:19 +01:00
that each user needs to be privileged to call `iam:GetUser` for themselves.
2016-05-05 18:46:13 +02:00
* `sts:GetCallerIdentity` - _Should_ work for both IAM Users and federated IAM Roles,
introduced in Terraform `0.6.16` .
2016-11-17 12:52:06 +01:00
* `iam:ListRoles` - This is specifically useful for IdP-federated profiles
2015-12-12 23:58:19 +01:00
which cannot use `iam:GetUser` . It also means that each federated user
need to be _assuming_ an IAM role which allows `iam:ListRoles` .
2016-05-05 18:46:13 +02:00
Used in Terraform `0.6.16+` .
There used to be no better way to get account ID out of the API
when using federated account until `sts:GetCallerIdentity` was introduced.