The Need for Workload Identity in the Private Cloud
A growing consideration for cloud spending and the proliferation of AI have caused many organizations to evaluate their use of the public cloud. Many …
A very popular Terraform state management configuration is to utilize AWS S3 for state management and AWS DynamoDB for state locking. The problem is that there does not appear to be a publicly available document that details the minimum privileges required by an AWS user or role to leverage AWS S3 and DynamoDB for Terraform state management.
Ideally the concept of least privilege would be used when assigning permissions to AWS users/roles. The permissions discussed below are for administrators or users that utilize the S3 bucket and DynamoDB table and are not responsible for managing those resources.
S3 access should be restricted to the specific bucket that the user/role is using for storing state files.
DynamoDB access should be restricted to the specific table that the user/role is using for state locking.
The example IAM policy below utilizes the permissions discussed in the previous section.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TerraformStateLocking",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem"
],
"Resource": "arn:aws:dynamodb:::table/${dynamodb-table}"
},
{
"Sid": "AllowTerraformStateBucketAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::${s3-bucket}"
},
{
"Sid": "AllowTerraformStateFileAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::${s3-bucket}/*"
}
]
}
The policy could be restricted even further by adding the specific account number and AWS region to the “resource” property.
Terraform S3 Backend Configuration
https://www.terraform.io/docs/backends/types/s3.html
AWS S3 IAM Permissions
http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
AWS DynamoDB IAM Permissions
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/api-permissions-reference.html
A growing consideration for cloud spending and the proliferation of AI have caused many organizations to evaluate their use of the public cloud. Many …
Jenkins is a popular open source CI server and many that are familiar with it often have a bit of a love/hate relationship. That being said, it is an …