Forum Discussion

Former Member's avatar
Former Member
3 years ago

How do I use the AWS Shell Plugin with Terraform?

I set up the 1password shell plugin for aws as shown here: https://blog.1password.com/shell-plugins/ It works great with aws (super cool btw!!!) But It doesn't work with Terraform. For Terrafo...
CLI
Maelstromeous's avatar
Maelstromeous
Occasional Contributor
2 years ago

I've figured out a decent workaround for now until the TF plugin is restored.

In order to use TF with AWS, you need to inject the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY dynamically. This unfortunately cannot be done via MFA via 1password as far as I know, so you need to have a IAM user created with credentials specifically for Terraform. This can be done via the below process:

  1. Make sure you've followed the AWS CLI setup guide, it shows you how to properly create a credential.
  2. Create a shell script called "1passwordcreds.sh" and put it in your home dir
  3. Insert the following into the file:

```

!/bin/bash

Get your AWS access key ID and secret access key from 1Password

AWS_ACCESS_KEY_ID=$(op read "op:///<1PASSWORD ENTRY>/access key id")
AWS_SECRET_ACCESS_KEY=$(op read "op:///<1PASSWORD ENTRY>/secret access key")

Export the AWS credentials as environment variables

export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY

Print the AWS credentials to the console

echo "AWS Access Key ID: $AWS_ACCESS_KEY_ID"
``
4. Replaceand<1PASSWORD_ENTRY>` according to your needs. e.g. mine in my "Dev" vault with the item called "AWS - Terraform" reads:


AWS_ACCESS_KEY_ID=$(op read "op://Dev/AWS - Terraform/access key id")
AWS_SECRET_ACCESS_KEY=$(op read "op://Dev/AWS - Terraform/secret access key")

5. chmod +x ~/1passwordcreds.sh
6. Run source ~/1passwordcreds.sh
7. If you've set up the credential properly in 1Password, you'll be prompted for your biometrics.
8. To confirm you now have credentials, run printenv | grep -i aws, you should see your credentials. You should see both the access key ID and secret key.
9. Run terraform apply etc.

Note because you are sourcing the file, the creds will "delete" themselves when the terminal ends, there is no storage of the credentials anywhere in the file system or in e.g. ./aws/credentials.

To ease debugging, here's my terraform file which works:

```
terraform {
backend "s3" {
bucket = ""
key = "terraform.tfstate"
region = "eu-west-2"
}
}

provider "aws" {
region = "eu-west-2"
}
```

No special keys or anything are needed.