backend/s3: Support assume_role_with_web_identity

[james1miller93]

The s3 backend currently does not support assuming a role with web identity.

This is currently supported by the aws provider and it would be good to have feature parity across the aws provider configurations.

Personally, I'd like to use this with github actions to federate access to a state backend from deployment pipelines whilst using a separate federated role for running terraform plan and apply operations.

[bschaatsbergen]

Picking this one up 👍, first time diving into the backends.

[crw]

Thanks for the enhancement request!

[bschaatsbergen]

There seems to be no support yet for AssumeRoleWithWebIdentity in the awsbase go package we're using. As support for AssumeRoleWithWebIdentity through awsbase is only added to the v2 package. It will require a bit of refactoring to make the existing S3 backend code compatible with the v2 version of awsbase.

I'm happy to put in some refactor work and make it inline with how the terraform-provider-aws handles assume_role and assume_role_with_web_identity as separate blocks.

I can't guarantee what the outcome will be of the refactor as awsbase/v2 seems to do things a bit differently..
e.g.

terraform {
  backend "s3" {
    bucket = "mybucket"
    key    = "path/to/my/key"
    region = "us-east-1"
    
    assume_role {
      // ....
    }
    
    assume_role_with_web_identity {
      // ....
    }
  }
}

If you can think of something more straight-forward to avoid the refactor, please share your thoughts with me @jbardin

[bschaatsbergen]

See (currently draft) PR for additional information.

[haakond]

Hi, chiming in on the conversation. I believe more and more people in the community are facing the same situation as described by the original poster here. My company is also working on modernizing our pipelines and this capability would be really great to have in place for the Terraform s3 backend.

Has there been any alternative approaches announced since June 2022? Anything I can do to help?

[james1miller93]

Any further thoughts on this?

[alencar]

Any news on supporting AssumeRoleWithWebIdentity for S3 backend?

[gdavison]

This will be resolved when #30443 is complete. It is an active project this quarter.