github.com/jpreese/tflint@v0.19.2-0.20200908152133-b01686250fb6/docs/guides/credentials.md (about) 1 # Credentials 2 3 In [Deep checking](advanced.md#deep-checking), it is necessary to set provider's credentials in order to call APIs. Currently, only AWS is supported. 4 5 Credentials are used with the following priority: 6 7 - Static credentials 8 - Static credentials (Terraform) 9 - Environment variables 10 - Shared credentials 11 - Shared credentials (Terraform) 12 - ECS and CodeBuild task roles 13 - EC2 role 14 15 ## Static credentials 16 17 If you have an access key and a secret key, you can pass these keys like the following: 18 19 ``` 20 $ tflint --aws-access-key AWS_ACCESS_KEY --aws-secret-key AWS_SECRET_KEY --aws-region us-east-1 21 ``` 22 23 ```hcl 24 config { 25 aws_credentials = { 26 access_key = "AWS_ACCESS_KEY" 27 secret_key = "AWS_SECRET_KEY" 28 region = "us-east-1" 29 } 30 } 31 ``` 32 33 Although there is not recommended, if an access key is hard-coded in a provider definition, they will also be taken into account. However, aliases are not supported. The priority is higher than the environment variable and lower than the above way. 34 35 ```hcl 36 provider "aws" { 37 region = "us-west-2" 38 access_key = "my-access-key" 39 secret_key = "my-secret-key" 40 } 41 ``` 42 43 ## Shared credentials 44 45 If you have [shared credentials](https://aws.amazon.com/jp/blogs/security/a-new-and-standardized-way-to-manage-credentials-in-the-aws-sdks/), you can pass a profile name and credentials file path. If omitted, these will be `default` and `~/.aws/credentials`. 46 47 ``` 48 $ tflint --aws-profile AWS_PROFILE --aws-region us-east-1 --aws-creds-file ~/.aws/myapp 49 ``` 50 51 ```hcl 52 config { 53 aws_credentials = { 54 profile = "AWS_PROFILE" 55 region = "us-east-1" 56 shared_credentials_file = "~/.aws/myapp" 57 } 58 } 59 ``` 60 61 If these configurations are defined in the provider block, they will also be taken into account. But the priority is lower than the above way. 62 63 ```hcl 64 provider "aws" { 65 region = "us-west-2" 66 shared_credentials_file = "/Users/tf_user/.aws/creds" 67 profile = "customprofile" 68 } 69 ``` 70 71 ## Environment variables 72 73 TFLint looks up `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, `AWS_REGION` environment variables. This is useful when you don't want to explicitly pass credentials. 74 75 ``` 76 $ export AWS_ACCESS_KEY_ID=AWS_ACCESS_KEY 77 $ export AWS_SECRET_ACCESS_KEY=AWS_SECRET_KEY 78 ``` 79 80 ## Role-based authentication 81 82 TFLint fetches AWS credentials in the same way as Terraform. See [this documentation](https://www.terraform.io/docs/providers/aws/index.html#ecs-and-codebuild-task-roles) for role-based authentication. 83 84 ## Assume role 85 86 TFLint can assume a role in the same way as Terraform. See [this documentation](https://www.terraform.io/docs/providers/aws/index.html#assume-role).