20.03.2020 Autor Mike 0 0

Lots of people deploying services in the cloud use a script in order to assume roles in the different AWS accounts. Having multiple projects in different accounts or deploy a project to different accounts at once (e.g. deploy an AWS iam role to dev/test/prod account) doesn't make it easier.

In order to simplify this process i created terraless. It is a wrapper arround terraform with assume role capabilities.


Terraless uses a global and a project config. In the global config you can define common roles and accounts that you use in multiple projects.

In the project config you can define which global profiles to use and also special configuration for the project.

If you have docker installed, you can test terraless with:

docker run -ti --entrypoint bash odaniait/terraless 

Example: Global config

The terraless.yml is looked up in different path. The easiest is to put it in your home folder in the directory ".terraless". Here is an example:

  - Name: MyTeam
      profile: base-profile-name
      intermediate-profile: my-team-session
      mfa-device: arn:aws:iam::ACCOUNT:mfa/MFA-USER
      - Type: aws
        Name: my-team-development
          accountId: 'AWS-ACCOUNT-ID'
          region: eu-central-1
          - developer
  - Name: terraless-provider-aws

Example: Project configuration

Here is the terraless-project.yml

   AutoSignIn: true
   NoProviderGeneration: true

   - Team: MyTeam
        - Type: global
          Name: my-team-development
             role: developer

ProjectName: my-awsome-project


For information about the loaded plugins and configuration use:

terraless info

For authentication use:

terraless auth

This will use the aws profile "base-profile-name". This needs to be already setup in your .aws/credentials. You can change it to any profile you like.

It will the ask for a mfa-token for the provided arn. It will use the profile and the mfa-token to retrieve new aws credentials and store it in your .aws/credentials file in the profile "my-team-session".

After that it will use the profile "my-team-session" to create new aws-credentials for "my-team-development-developer". Also these will be stored in your .aws/credentials file.

You can now add additional accounts if you like.

Authentication against a single provider

You can authenticate agains a single provider with the "--auth-provider" flag:

terraless auth --auth-provider <- Format: Team:Provider-Name:Data Data-Forma: key1=value:key2=value

e.g.: terraless auth --auth-provider MyTeam:my-team-development:role=developer

This command can be run in any directory, if the provider is defined in the global config.

Additional Information

You can find additional information on https://github.com/Odania-IT/terraless

Contributions welcome!