AWS Provider

Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS. You must configure the provider with the proper credentials before you can use it.

Use the navigation to the left to read about the available resources. There are currently 1367 resources and 557 data sources available in the provider.

To learn the basics of Terraform using this provider, follow the hands-on get started tutorials. Interact with AWS services, including Lambda, RDS, and IAM by following the AWS services tutorials.

Example Usage

Terraform 0.13 and later:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

# Configure the AWS Provider
provider "aws" {
  region = "us-east-1"
}

# Create a VPC
resource "aws_vpc" "example" {
  cidr_block = "10.0.0.0/16"
}

Terraform 0.12 and earlier:

# Configure the AWS Provider
provider "aws" {
  version = "~> 5.0"
  region  = "us-east-1"
}

# Create a VPC
resource "aws_vpc" "example" {
  cidr_block = "10.0.0.0/16"
}

Authentication and Configuration

Configuration for the AWS Provider can be derived from several sources, which are applied in the following order:

  1. Parameters in the provider configuration
  2. Environment variables
  3. Shared credentials files
  4. Shared configuration files
  5. Container credentials
  6. Instance profile credentials and Region

This order matches the precedence used by the AWS CLI and the AWS SDKs.

The AWS Provider supports assuming an IAM role, either in the provider configuration block parameter assume_role or in a named profile.

The AWS Provider supports assuming an IAM role using web identity federation and OpenID Connect (OIDC). This can be configured either using environment variables or in a named profile.

When using a named profile, the AWS Provider also supports sourcing credentials from an external process.

Provider Configuration

Credentials can be provided by adding an access_key, secret_key, and optionally token, to the aws provider block.

Usage:

provider "aws" {
  region     = "us-west-2"
  access_key = "my-access-key"
  secret_key = "my-secret-key"
}

Other settings related to authorization can be configured, such as:

Environment Variables

Credentials can be provided by using the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optionally AWS_SESSION_TOKEN environment variables. The Region can be set using the AWS_REGION or AWS_DEFAULT_REGION environment variables.

For example:

provider "aws" {}
% export AWS_ACCESS_KEY_ID="anaccesskey"
% export AWS_SECRET_ACCESS_KEY="asecretkey"
% export AWS_REGION="us-west-2"
% terraform plan

Other environment variables related to authorization are:

Shared Configuration and Credentials Files

The AWS Provider can source credentials and other settings from the shared configuration and credentials files. By default, these files are located at $HOME/.aws/config and $HOME/.aws/credentials on Linux and macOS, and "%USERPROFILE%\.aws\config" and "%USERPROFILE%\.aws\credentials" on Windows.

If no named profile is specified, the default profile is used. Use the profile parameter or AWS_PROFILE environment variable to specify a named profile.

The locations of the shared configuration and credentials files can be configured using either the parameters shared_config_files and shared_credentials_files or the environment variables AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE.

For example:

provider "aws" {
  shared_config_files      = ["/Users/tf_user/.aws/conf"]
  shared_credentials_files = ["/Users/tf_user/.aws/creds"]
  profile                  = "customprofile"
}

Container Credentials

If you're running Terraform on CodeBuild or ECS and have configured an IAM Task Role, Terraform can use the container's Task Role. This support is based on the underlying AWS_CONTAINER_CREDENTIALS_RELATIVE_URI and AWS_CONTAINER_CREDENTIALS_FULL_URI environment variables being automatically set by those services or manually for advanced usage.

If you're running Terraform on EKS and have configured IAM Roles for Service Accounts (IRSA), Terraform can use the pod's role. This support is based on the underlying AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables being automatically set by Kubernetes or manually for advanced usage.

Instance profile credentials and Region

When the AWS Provider is running on an EC2 instance with an IAM Instance Profile set, the provider can source credentials from the EC2 Instance Metadata Service. Both IMDS v1 and IMDS v2 are supported.

A custom endpoint for the metadata service can be provided using the ec2_metadata_service_endpoint parameter or the AWS_EC2_METADATA_SERVICE_ENDPOINT environment variable.

Assuming an IAM Role

If provided with a role ARN, the AWS Provider will attempt to assume this role using the supplied credentials.

Usage:

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::123456789012:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"
  }
}

Hands-on: Try the Use AssumeRole to Provision AWS Resources Across Accounts tutorial.

Assuming an IAM Role Using A Web Identity

If provided with a role ARN and a token from a web identity provider, the AWS Provider will attempt to assume this role using the supplied credentials.

Usage:

provider "aws" {
  assume_role_with_web_identity {
    role_arn                = "arn:aws:iam::123456789012:role/ROLE_NAME"
    session_name            = "SESSION_NAME"
    web_identity_token_file = "/Users/tf_user/secrets/web-identity-token"
  }
}

Using an External Credentials Process

To use an external process to source credentials, the process must be configured in a named profile, including the default profile. The profile is configured in a shared configuration file.

For example:

provider "aws" {
  profile = "customprofile"
}
[profile customprofile]
credential_process = custom-process --username jdoe

AWS Configuration Reference

Setting Provider Environment Variable Shared Config
Access Key ID access_key|AWS_ACCESS_KEY_ID|aws_access_key_id
Secret Access Key secret_key|AWS_SECRET_ACCESS_KEY|aws_secret_access_key
Session Token token|AWS_SESSION_TOKEN|aws_session_token
Region region|AWS_REGION or AWS_DEFAULT_REGION|region
Custom CA Bundle custom_ca_bundle|AWS_CA_BUNDLE|ca_bundle
EC2 IMDS Endpoint ec2_metadata_service_endpoint|AWS_EC2_METADATA_SERVICE_ENDPOINT|N/A
EC2 IMDS Endpoint Mode ec2_metadata_service_endpoint_mode|AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE|N/A
Disable EC2 IMDS skip_metadata_api_check|AWS_EC2_METADATA_DISABLED|N/A
HTTP Proxy http_proxy|HTTP_PROXY or http_proxy|N/A
HTTPS Proxy https_proxy|HTTPS_PROXY or https_proxy|N/A
Non-Proxied Hosts no_proxy|NO_PROXY or no_proxy|N/A
Max Retries max_retries|AWS_MAX_ATTEMPTS|max_attempts
Profile profile|AWS_PROFILE or AWS_DEFAULT_PROFILE|N/A
Retry Mode retry_mode|AWS_RETRY_MODE|retry_mode
Shared Config Files shared_config_files|AWS_CONFIG_FILE|N/A
Shared Credentials Files shared_credentials_files|AWS_SHARED_CREDENTIALS_FILE|N/A
S3 Use Regional Endpoint for us-east-1|s3_us_east_1_regional_endpoint|AWS_S3_US_EAST_1_REGIONAL_ENDPOINT|s3_us_east_1_regional_endpoint
Use DualStack Endpoints use_dualstack_endpoint|AWS_USE_DUALSTACK_ENDPOINT|use_dualstack_endpoint
Use FIPS Endpoints use_fips_endpoint|AWS_USE_FIPS_ENDPOINT|use_fips_endpoint

Assume Role Configuration Reference

Configuation for assuming an IAM role can be done using provider configuration or a named profile in shared configuration files. In the provider, all parameters for assuming an IAM role are set in the assume_role block.

Note that environment variables are not supported for assuming IAM roles.

See the assume role documentation for more information.

Setting Provider Shared Config
Role ARN role_arn|role_arn
Duration duration|duration_seconds
External ID external_id|external_id
Policy policy|N/A
Policy ARNs policy_arns|N/A
Session Name session_name|role_session_name
Source Identity source_identity|N/A
Tags tags|N/A
Transitive Tag Keys transitive_tag_keys|N/A

Assume Role with Web Identity Configuration Reference

Configuration for assuming an IAM role using web identify federation can be done using provider configuration, environment variables, or a named profile in shared configuration files. In the provider, all parameters for assuming an IAM role are set in the assume_role_with_web_identity block.

See the assume role documentation section on web identities for more information.

Setting Provider Environment Variable Shared Config
Role ARN role_arn|AWS_ROLE_ARN|role_arn
Web Identity Token web_identity_token|N/A N/A
Web Identity Token File web_identity_token_file|AWS_WEB_IDENTITY_TOKEN_FILE|web_identity_token_file
Duration duration|N/A duration_seconds
Policy policy|N/A policy
Policy ARNs policy_arns|N/A policy_arns
Session Name session_name|AWS_ROLE_SESSION_NAME|role_session_name

Custom User-Agent Information

By default, the underlying AWS client used by the Terraform AWS Provider creates requests with User-Agent headers including information about Terraform and AWS SDK for Go versions. To provide additional information in the User-Agent headers, the TF_APPEND_USER_AGENT environment variable can be set and its value will be directly added to HTTP requests. E.g.,

% export TF_APPEND_USER_AGENT="JenkinsAgent/i-12345678 BuildID/1234 (Optional Extra Information)"

Argument Reference

In addition to generic provider arguments (e.g., alias and version), the following arguments are supported in the AWS provider block:

assume_role Configuration Block

The assume_role configuration block supports the following arguments:

assume_role_with_web_identity Configuration Block

The assume_role_with_web_identity configuration block supports the following arguments:

default_tags Configuration Block

Hands-on: Try the Configure Default Tags for AWS Resources tutorial.

Example: Resource with provider default tags

provider "aws" {
  default_tags {
    tags = {
      Environment = "Test"
      Name        = "Provider Tag"
    }
  }
}

resource "aws_vpc" "example" {
  # ..other configuration...
}

output "vpc_resource_level_tags" {
  value = aws_vpc.example.tags
}

output "vpc_all_tags" {
  value = aws_vpc.example.tags_all
}

Outputs:

$ terraform apply
...
Outputs:

vpc_all_tags = tomap({
  "Environment" = "Test"
  "Name" = "Provider Tag"
})

Example: Resource with tags and provider default tags

provider "aws" {
  default_tags {
    tags = {
      Environment = "Test"
      Name        = "Provider Tag"
    }
  }
}

resource "aws_vpc" "example" {
  # ..other configuration...
  tags = {
    Owner = "example"
  }
}

output "vpc_resource_level_tags" {
  value = aws_vpc.example.tags
}

output "vpc_all_tags" {
  value = aws_vpc.example.tags_all
}

Outputs:

$ terraform apply
...
Outputs:

vpc_all_tags = tomap({
  "Environment" = "Test"
  "Name" = "Provider Tag"
  "Owner" = "example"
})
vpc_resource_level_tags = tomap({
  "Owner" = "example"
})

Example: Resource overriding provider default tags

provider "aws" {
  default_tags {
    tags = {
      Environment = "Test"
      Name        = "Provider Tag"
    }
  }
}

resource "aws_vpc" "example" {
  # ..other configuration...
  tags = {
    Environment = "Production"
  }
}

output "vpc_resource_level_tags" {
  value = aws_vpc.example.tags
}

output "vpc_all_tags" {
  value = aws_vpc.example.tags_all
}

Outputs:

$ terraform apply
...
Outputs:

vpc_all_tags = tomap({
  "Environment" = "Production"
  "Name" = "Provider Tag"
})
vpc_resource_level_tags = tomap({
  "Environment" = "Production"
})

The default_tags configuration block supports the following argument:

ignore_tags Configuration Block

Example:

provider "aws" {
  ignore_tags {
    keys = ["TagKey1"]
  }
}

The ignore_tags configuration block supports the following arguments:

Getting the Account ID

If you use either allowed_account_ids or forbidden_account_ids, Terraform uses several approaches to get the actual account ID in order to compare it with allowed or forbidden IDs.

Approaches differ per authentication providers: