github.com/adrian-bl/terraform@v0.7.0-rc2.0.20160705220747-de0a34fc3517/website/source/docs/providers/aws/index.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "Provider: AWS" 4 sidebar_current: "docs-aws-index" 5 description: |- 6 The Amazon Web Services (AWS) provider is used to interact with the many resources supported by AWS. The provider needs to be configured with the proper credentials before it can be used. 7 --- 8 9 # AWS Provider 10 11 The Amazon Web Services (AWS) provider is used to interact with the 12 many resources supported by AWS. The provider needs to be configured 13 with the proper credentials before it can be used. 14 15 Use the navigation to the left to read about the available resources. 16 17 ## Example Usage 18 19 ``` 20 # Configure the AWS Provider 21 provider "aws" { 22 access_key = "${var.aws_access_key}" 23 secret_key = "${var.aws_secret_key}" 24 region = "us-east-1" 25 } 26 27 # Create a web server 28 resource "aws_instance" "web" { 29 ... 30 } 31 ``` 32 33 ## Authentication 34 35 The AWS provider offers flexible means of providing credentials for 36 authentication. The following methods are supported, in this order, and 37 explained below: 38 39 - Static credentials 40 - Environment variables 41 - Shared credentials file 42 - EC2 Role 43 44 ### Static credentials ### 45 46 Static credentials can be provided by adding an `access_key` and `secret_key` in-line in the 47 aws provider block: 48 49 Usage: 50 51 ``` 52 provider "aws" { 53 region = "us-west-2" 54 access_key = "anaccesskey" 55 secret_key = "asecretkey" 56 } 57 ``` 58 59 ###Environment variables 60 61 You can provide your credentials via `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, 62 environment variables, representing your AWS Access Key and AWS Secret Key, respectively. 63 `AWS_DEFAULT_REGION` and `AWS_SECURITY_TOKEN` are also used, if applicable: 64 65 ``` 66 provider "aws" {} 67 ``` 68 69 Usage: 70 71 ``` 72 $ export AWS_ACCESS_KEY_ID="anaccesskey" 73 $ export AWS_SECRET_ACCESS_KEY="asecretkey" 74 $ export AWS_DEFAULT_REGION="us-west-2" 75 $ terraform plan 76 ``` 77 78 ###Shared Credentials file 79 80 You can use an AWS credentials file to specify your credentials. The default 81 location is `$HOME/.aws/credentials` on Linux and OSX, or `"%USERPROFILE%\.aws\credentials"` 82 for Windows users. If we fail to detect credentials inline, or in the 83 environment, Terraform will check this location. You can optionally specify a 84 different location in the configuration by providing `shared_credentials_file`, 85 or in the environment with the `AWS_SHARED_CREDENTIALS_FILE` variable. This 86 method also supports a `profile` configuration and matching `AWS_PROFILE` 87 environment variable: 88 89 Usage: 90 91 ``` 92 provider "aws" { 93 region = "us-west-2" 94 shared_credentials_file = "/Users/tf_user/.aws/creds" 95 profile = "customprofile" 96 } 97 ``` 98 99 ###EC2 Role 100 101 If you're running Terraform from an EC2 instance with IAM Instance Profile 102 using IAM Role, Terraform will just ask 103 [the metadata API](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials) 104 endpoint for credentials. 105 106 This is a preferred approach over any other when running in EC2 as you can avoid 107 hardcoding credentials. Instead these are leased on-the-fly by Terraform 108 which reduces the chance of leakage. 109 110 You can provide custom metadata API endpoint via `AWS_METADATA_ENDPOINT` variable 111 which expects the endpoint URL including the version 112 and defaults to `http://169.254.169.254:80/latest`. 113 114 ## Argument Reference 115 116 The following arguments are supported in the `provider` block: 117 118 * `access_key` - (Optional) This is the AWS access key. It must be provided, but 119 it can also be sourced from the `AWS_ACCESS_KEY_ID` environment variable, or via 120 a shared credentials file if `profile` is specified. 121 122 * `secret_key` - (Optional) This is the AWS secret key. It must be provided, but 123 it can also be sourced from the `AWS_SECRET_ACCESS_KEY` environment variable, or 124 via a shared credentials file if `profile` is specified. 125 126 * `region` - (Required) This is the AWS region. It must be provided, but 127 it can also be sourced from the `AWS_DEFAULT_REGION` environment variables, or 128 via a shared credentials file if `profile` is specified. 129 130 * `profile` - (Optional) This is the AWS profile name as set in the shared credentials 131 file. 132 133 * `shared_credentials_file` = (Optional) This is the path to the shared credentials file. 134 If this is not set and a profile is specified, ~/.aws/credentials will be used. 135 136 * `token` - (Optional) Use this to set an MFA token. It can also be sourced 137 from the `AWS_SECURITY_TOKEN` environment variable. 138 139 * `max_retries` - (Optional) This is the maximum number of times an API call is 140 being retried in case requests are being throttled or experience transient failures. 141 The delay between the subsequent API calls increases exponentially. 142 143 * `allowed_account_ids` - (Optional) List of allowed AWS account IDs (whitelist) 144 to prevent you mistakenly using a wrong one (and end up destroying live environment). 145 Conflicts with `forbidden_account_ids`. 146 147 * `forbidden_account_ids` - (Optional) List of forbidden AWS account IDs (blacklist) 148 to prevent you mistakenly using a wrong one (and end up destroying live environment). 149 Conflicts with `allowed_account_ids`. 150 151 * `insecure` - (Optional) Optional) Explicitly allow the provider to 152 perform "insecure" SSL requests. If omitted, default value is `false` 153 154 * `dynamodb_endpoint` - (Optional) Use this to override the default endpoint 155 URL constructed from the `region`. It's typically used to connect to 156 dynamodb-local. 157 158 * `kinesis_endpoint` - (Optional) Use this to override the default endpoint 159 URL constructed from the `region`. It's typically used to connect to 160 kinesalite. 161 162 Nested `endpoints` block supports the followings: 163 164 * `iam` - (Optional) Use this to override the default endpoint 165 URL constructed from the `region`. It's typically used to connect to 166 custom iam endpoints. 167 168 * `ec2` - (Optional) Use this to override the default endpoint 169 URL constructed from the `region`. It's typically used to connect to 170 custom ec2 endpoints. 171 172 * `elb` - (Optional) Use this to override the default endpoint 173 URL constructed from the `region`. It's typically used to connect to 174 custom elb endpoints. 175 176 ## Getting the Account ID 177 178 If you use either `allowed_account_ids` or `forbidden_account_ids`, 179 Terraform uses several approaches to get the actual account ID 180 in order to compare it with allowed/forbidden ones. 181 182 Approaches differ per auth providers: 183 184 * EC2 instance w/ IAM Instance Profile - [Metadata API](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) 185 is always used. Introduced in Terraform `0.6.16`. 186 * All other providers (ENV vars, shared creds file, ...) 187 will try two approaches in the following order 188 * `iam:GetUser` - typically useful for IAM Users. It also means 189 that each user needs to be privileged to call `iam:GetUser` for themselves. 190 * `sts:GetCallerIdentity` - _Should_ work for both IAM Users and federated IAM Roles, 191 introduced in Terraform `0.6.16`. 192 * `iam:ListRoles` - this is specifically useful for IdP-federated profiles 193 which cannot use `iam:GetUser`. It also means that each federated user 194 need to be _assuming_ an IAM role which allows `iam:ListRoles`. 195 Used in Terraform `0.6.16+`. 196 There used to be no better way to get account ID out of the API 197 when using federated account until `sts:GetCallerIdentity` was introduced.