Terraforming AWS IAM users

2020-08-03 tech programming terraform

I found myself Terraforming some AWS IAM users today. It can be hard to remember the ins-and-outs of managing the PGP-encrypted credentials, so I’m writing this down for future reference.

The model here is to create IAM users (probably one per person on your team), and to set them up with long-lived IAM credentials (access key/secret) and login access to the web console. We’ll have Terraform generate these secrets for us and give us PGP-encrypted output that we can distribute to the user.

Regarding the security of this setup:

  • AWS has an option to force the user to set his or her own password upon first login to the web console, and we’ll use that. The login profile resource will not interfere with the user changing his or her password (i.e. it won’t show up dirty on the next plan), so the use of Terraform here doesn’t get in the way.

  • In practice, it’s best to rotate these long-lived IAM credentials periodically (Here’s AWS’s doc about best practices). That’s outside the scope of this article, but one approach might be to taint the aws_iam_access_key resources on a schedule, and then re-run (it might be nice to depend on a null_resource referring to the date, e.g. via substring(timestamp(), 0, 7) to get the month, but this is not currently possible).

PGP usage with GPG

Each user will have to supply a PGP key. This can be done using GNU Privacy Guard (GPG). If you have it installed, great. If not, you can run in it Docker like this:

$ alias gpg='docker run -it --rm -u $(id -u):$(id -g) -e HOME -v "$HOME":"$HOME" -v "$(pwd)":"$(pwd)" -w "$(pwd)" dockerizedtools/gpg:2.2.20'

Generate a key by running this and following the prompts:

$ gpg --gen-key

Now we need the base64-encoded public key. We can get the full PEM by running gpg --export -a "Key name". We can clean it up into the format Terraform wants (single line, no header/footer, remove second base64-encoded string) by doing the following:

$ gpg --export -a "Key name" | tail -n +2 | head -n -2 | tr -d '\n' > gpg-public-key

Now we’ll use the contents of that file as input to Terraform. It should look something like this public key I generated for demonstration:


The length can vary.

Terraform definitions

Let’s start by defining our input:

variable "users" {
  description = "Map of IAM username to user details"
  type        = map(any)

which we’ll supply with a value like this:

users = {
  alice = {
    pgp_key = "<Alice's single-line base64-encoded public key (see above)>",
  bob = {
    pgp_key = "<Bob's single-line base64-encoded public key (see above)>",

If, in the future, we want to manage these users more extensively (e.g. adding a policy to them to allow them to assume certain roles), this data structure can be extended to support that.

The resources look like:

resource "aws_iam_user" "user" {
  for_each = var.users

  name = each.key

resource "aws_iam_access_key" "user" {
  for_each = toset([for user in aws_iam_user.user : user.name])

  user    = each.key
  pgp_key = var.users[each.key].pgp_key

resource "aws_iam_user_login_profile" "user" {
  for_each = toset([for user in aws_iam_user.user : user.name])

  user                    = each.key
  pgp_key                 = var.users[each.key].pgp_key
  password_reset_required = true

and we’ll output the encrypted values, which can be disseminated to the users:

output "users" {
  value = {
    for user in aws_iam_user.user :
    user.name => {
      access_key         = aws_iam_access_key.user[user.name].id,
      encrypted_secret   = aws_iam_access_key.user[user.name].encrypted_secret,
      encrypted_password = aws_iam_user_login_profile.user[user.name].encrypted_password,
comments powered by Disqus