TERRAGRUNT_IAM_ROLE with S3 backend
We are running into an issue when using TERRAGRUNT_IAM_ROLE. Our configuration is as follows: 1. Use AWS SSO to access Account A. 2. Run Terragrunt with TERRAGRUNT_IAM_ROLE to assume role A in account A. 3. In the Terraform provider config we assume role B in Account B with rights to deploy resources into Account B. 4. In the Terraform backend config we assume role C in Account C with rights to an S3 bucket and DynamoDB table. If we use this configuration we get an error similar to: AccessDenied: User: arn:aws:sts::XXXXXXXX:assumed-role/AWSReservedSSO_XXXXXXXX_XXXXXXXX/example@example.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::ACCOUNT C:role/RoleC In our understanding Terragrunt should be assuming Role A and Role A then has the rights to assume Role C in Account C. This does not seem to be the case. If we amend the configuration and grant the SSO role access to Role C then everything works. Is this expected behaviour or should Role A be used by Terragrunt to access Role C as defined in the backend config? Below is a refactored config for our backend and provider in Terragrunt. ```hcl generate "provider" { path = "provider.tf" if_exists = "overwrite_terragrunt" contents = <<EOF provider "aws" { region = "region" allowed_account_ids = ["ACCOUNT B"] assume_role { role_arn = "arn:aws:iam::ACCOUNT B:role/RoleB" } } EOF } remote_state { backend = "s3" config = { skip_bucket_versioning = true encrypt = true bucket = "bucket" key = "terraform.tfstate" region = "region" dynamodb_table = "table" kms_key_id = "key_id" role_arn = "arn:aws:iam::ACCOUNT C:role/RoleC" } generate = { path = "backend.tf" if_exists = "overwrite_terragrunt" } } ``` r:terragrunt
`TERRAGRUNT_IAM_ROLE` does not support role chaining at the moment for internal AWS operations. In this case, Terragrunt does not chain the assume role call between the IAM role specified in `TERRAGRUNT_IAM_ROLE`, and the IAM role specified in `role_arn` config specified on the `remote_state` block when it makes the calls internally. Instead, it will directly assume the role specified in `role_arn` (ignoring `TERRAGRUNT_IAM_ROLE`). Note that it will use `TERRAGRUNT_IAM_ROLE` if `role_arn` isn't specified (which is admittedly confusing). Despite this limitation, this works for the provider config, because the role chaining (second assume role) happens in `terraform`, not `terragrunt`. To be transparent, the IAM role assume rules in Terragrunt is a bit of a mess right now because of the complexities around AWS session management. As such, unless there is a specific need for having terragrunt assume the role (e.g., for use cases around cross account dependencies), we typically recommend using an external tool like `aws-vault` to do the role assume. We have plans in our roadmap to revamp the AWS authentication strategy within Terragrunt. You can follow [this GitHub issue](https://github.com/gruntwork-io/terragrunt/issues/1840) for updates on this rework when we prioritize it.