HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

hcp iam workload-identity-providers create-aws

Command: hcp iam workload-identity-providers create-aws

The hcp iam workload-identity-providers create-aws command creates a new AWS workload identity provider.

Once created, workloads running in the specified AWS account can exchange their AWS identity for an HCP access token which maps to the identity of the specified service principal.

The conditional access statement can restrict which AWS roles are allowed to exchange their identity for an HCP access token. The condtional access statement is a hashicorp/go-bexpr string that is evaluated when exchanging tokens. It has access to the following variables:

  • aws.arn: The AWS ARN associated with the calling entity.
  • aws.account_id: The AWS account ID number of the account that owns or contains the calling entity.
  • aws.user_id: The unique identifier of the calling entity.

An example conditional access statement that restricts access to a specific role is, 'aws.arn matches "arn:aws:iam::123456789012:role/example-role/*"'.

To aide in creating the conditional access statement, run aws sts get-caller-identity on the AWS workload to determine the values that will be available to the conditional access statement.

Usage

$ hcp iam workload-identity-providers create-aws PROVIDER_NAME
  --account-id=AWS_ACCOUNT_ID --conditional-access=STATEMENT
  --service-principal=RESOURCE_NAME [Optional Flags]

Examples

Create a provider that allows exchanging identities for AWS workloads with role "example-role":

$ hcp iam workload-identity-providers create-aws aws-my-role \
  --service-principal=iam/project/PROJECT/service-principal/example-sp \
  --account-id=123456789012 \
  --conditional-access='aws.arn matches "arn:aws:iam::123456789012:role/example-role/*"' \
  --description="Allow exchanging AWS workloads that have role example-role"

Positional arguments

Required flags

  • --account-id=AWS_ACCOUNT_ID - The ID of the AWS account for which identity exchange will be allowed.

  • --conditional-access=STATEMENT - The conditional access statement is a hashicorp/go-bexpr string that is evaluated when exchanging tokens. It restricts which upstream identities are allowed to access the service principal.

    The conditional_access statement can access the following variables:

    • aws.arn: The AWS ARN associated with the calling entity.
    • aws.account_id: The AWS account ID number of the account that owns or contains the calling entity.
    • aws.user_id: The unique identifier of the calling entity.

    For details on the values of each variable, refer to the AWS documentation.

  • --service-principal=RESOURCE_NAME - The resource name of the service principal to create the provider for.

Optional flags