The Terraform AWS Provider – Authenticate Terraform to AWS

How to Use the Terraform AWS Provider

Terraform Providers

A provider in Terraform is a plugin that enables interaction with an API. This includes Cloud providers such as AWS. The providers are specified in the Terraform configuration code, telling Terraform which services it needs to interact with.

For more details on Terraform providers (including the Spacelift Terraform provider), check out our previous article: Terraform Providers Overview.

AWS Provider

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "4.27.0"

provider "aws" {
  # Configuration options

Note that the version of the provider is ‘pinned’ here to “4.27.0” (the latest at the time of writing). This is recommended best practice to avoid any unexpected changes in behavior between provider versions. Newer minor versions should be backward compatible and not introduce issues, however, major version updates may introduce breaking changes. Pinning the version allows you to update manually when you are confident there will be no adverse effects in doing so.

To find the latest version available, check out the Terraform docs page, or the GitHub page. GitHub will also give you a version history and details on issues raised by community members and stakeholders.

AWS Provider Configuration Options

terraform aws provider - iam section
terraform aws provider - create access key

Note that the usual and recommended way to authenticate to AWS when using Terraform is via the AWS CLI, rather than any of the provider options listed above. To do this, first, install the AWS CLI, then type aws configure.

Parameters in the provider configuration

provider "aws" {
  region     = "us-west-2"
  access_key = "my-access-key"
  secret_key = "my-secret-key"
provider "aws" {
  region = "us-west-2"
  token  = "my-token"

Environment Variables

provider "aws" {}

In the command shell, the environment variables are set as follows:

$ export AWS_ACCESS_KEY_ID="my-access-key"
$ export AWS_SECRET_ACCESS_KEY="my-secret-key"
$ export AWS_REGION="us-west-2"

Alternatively, a token can be used instead of Key ID and Access Key:

$ export AWS_SESSION_TOKEN="my-token"

Assume an IAM role

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::123456789012:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"

Key Points

In this article, we have shown the common uses of the Terraform AWS provider, showing how to authenticate using parameters in the provider configuration options, and using environment variables. For a full list of available options, check out the Terraform docs page.


Terraform Management Made Easy

Spacelift effectively manages Terraform state, more complex workflows, supports policy as code, programmatic configuration, context sharing, drift detection, resource visualization, and includes many more features.

Start free trial