github.com/jpreese/tflint@v0.19.2-0.20200908152133-b01686250fb6/docs/guides/credentials.md

github.com/jpreese/tflint@v0.19.2-0.20200908152133-b01686250fb6/docs/guides/credentials.md (about)

     1  # Credentials
     2  
     3  In [Deep checking](advanced.md#deep-checking), it is necessary to set provider's credentials in order to call APIs. Currently, only AWS is supported.
     4  
     5  Credentials are used with the following priority:
     6  
     7  - Static credentials
     8  - Static credentials (Terraform)
     9  - Environment variables
    10  - Shared credentials
    11  - Shared credentials (Terraform)
    12  - ECS and CodeBuild task roles
    13  - EC2 role
    14  
    15  ## Static credentials
    16  
    17  If you have an access key and a secret key, you can pass these keys like the following:
    18  
    19  ```
    20  $ tflint --aws-access-key AWS_ACCESS_KEY --aws-secret-key AWS_SECRET_KEY --aws-region us-east-1
    21  ```
    22  
    23  ```hcl
    24  config {
    25    aws_credentials = {
    26      access_key = "AWS_ACCESS_KEY"
    27      secret_key = "AWS_SECRET_KEY"
    28      region     = "us-east-1"
    29    }
    30  }
    31  ```
    32  
    33  Although there is not recommended, if an access key is hard-coded in a provider definition, they will also be taken into account. However, aliases are not supported. The priority is higher than the environment variable and lower than the above way.
    34  
    35  ```hcl
    36  provider "aws" {
    37    region     = "us-west-2"
    38    access_key = "my-access-key"
    39    secret_key = "my-secret-key"
    40  }
    41  ```
    42  
    43  ## Shared credentials
    44  
    45  If you have [shared credentials](https://aws.amazon.com/jp/blogs/security/a-new-and-standardized-way-to-manage-credentials-in-the-aws-sdks/), you can pass a profile name and credentials file path. If omitted, these will be `default` and `~/.aws/credentials`.
    46  
    47  ```
    48  $ tflint --aws-profile AWS_PROFILE --aws-region us-east-1 --aws-creds-file ~/.aws/myapp
    49  ```
    50  
    51  ```hcl
    52  config {
    53    aws_credentials = {
    54      profile                 = "AWS_PROFILE"
    55      region                  = "us-east-1"
    56      shared_credentials_file = "~/.aws/myapp"
    57    }
    58  }
    59  ```
    60  
    61  If these configurations are defined in the provider block, they will also be taken into account. But the priority is lower than the above way.
    62  
    63  ```hcl
    64  provider "aws" {
    65    region                  = "us-west-2"
    66    shared_credentials_file = "/Users/tf_user/.aws/creds"
    67    profile                 = "customprofile"
    68  }
    69  ```
    70  
    71  ## Environment variables
    72  
    73  TFLint looks up `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, `AWS_REGION` environment variables. This is useful when you don't want to explicitly pass credentials.
    74  
    75  ```
    76  $ export AWS_ACCESS_KEY_ID=AWS_ACCESS_KEY
    77  $ export AWS_SECRET_ACCESS_KEY=AWS_SECRET_KEY
    78  ```
    79  
    80  ## Role-based authentication
    81  
    82  TFLint fetches AWS credentials in the same way as Terraform. See [this documentation](https://www.terraform.io/docs/providers/aws/index.html#ecs-and-codebuild-task-roles) for role-based authentication.
    83  
    84  ## Assume role
    85  
    86  TFLint can assume a role in the same way as Terraform. See [this documentation](https://www.terraform.io/docs/providers/aws/index.html#assume-role).