hcp iam workload-identity-providers create-aws
Command: hcp iam workload-identity-providers create-aws
The hcp iam workload-identity-providers create-aws
command creates a new AWS
workload identity provider.
Once created, workloads running in the specified AWS account can exchange their AWS identity for an HCP access token which maps to the identity of the specified service principal.
The conditional access statement can restrict which AWS roles are allowed to exchange their identity for an HCP access token. The condtional access statement is a hashicorp/go-bexpr string that is evaluated when exchanging tokens. It has access to the following variables:
aws.arn
: The AWS ARN associated with the calling entity.aws.account_id
: The AWS account ID number of the account that owns or contains the calling entity.aws.user_id
: The unique identifier of the calling entity.
An example conditional access statement that restricts access to a specific role
is, 'aws.arn matches "arn:aws:iam::123456789012:role/example-role/*"'
.
To aide in creating the conditional access statement, run aws sts
get-caller-identity
on the AWS workload to determine the values that will be
available to the conditional access statement.
Usage
$ hcp iam workload-identity-providers create-aws PROVIDER_NAME --account-id=AWS_ACCOUNT_ID --conditional-access=STATEMENT --service-principal=RESOURCE_NAME [Optional Flags]
Examples
Create a provider that allows exchanging identities for AWS workloads with role "example-role":
$ hcp iam workload-identity-providers create-aws aws-my-role \ --service-principal=iam/project/PROJECT/service-principal/example-sp \ --account-id=123456789012 \ --conditional-access='aws.arn matches "arn:aws:iam::123456789012:role/example-role/*"' \ --description="Allow exchanging AWS workloads that have role example-role"
Positional arguments
PROVIDER_NAME
- The name of the provider to create.
Required flags
--account-id=AWS_ACCOUNT_ID
- The ID of the AWS account for which identity exchange will be allowed.--conditional-access=STATEMENT
- The conditional access statement is a hashicorp/go-bexpr string that is evaluated when exchanging tokens. It restricts which upstream identities are allowed to access the service principal.The conditional_access statement can access the following variables:
aws.arn
: The AWS ARN associated with the calling entity.aws.account_id
: The AWS account ID number of the account that owns or contains the calling entity.aws.user_id
: The unique identifier of the calling entity.
For details on the values of each variable, refer to the AWS documentation.
--service-principal=RESOURCE_NAME
- The resource name of the service principal to create the provider for.
Optional flags
--description=TEXT
- A description of the provider.