EP ElasticPurple
← Back to Home
January 26, 2026 12 min read

Setting up AWS SSO for Terraform

Enterprise-grade authentication without hardcoded credentials.

AWS IAM Identity Center Terraform Security

The Problem

When working with Terraform and AWS, the default approach is storing access keys as environment variables. This works for personal projects but falls short of enterprise security standards.

I used Claude to automate creating an S3 remote backend for Terraform state, but realized that relying on locally stored credentials wouldn't meet the security bar I wanted to demonstrate. The solution: IAM Identity Center (SSO).

Key insight: SSO only needs to be set up once by the platform team—which in my case happens to be my alter ego, "Platform Dave."

Two Scenarios

Scenario 1: Organization Already Has SSO

If your company has IAM Identity Center enabled, skip the console setup. Just request from your admin:

  • SSO Start URL: https://d-xxxxxxxxxx.awsapps.com/start
  • SSO Region: e.g., us-east-1
  • Your credentials

Scenario 2: Starting Fresh

You cannot create IAM Identity Center via CLI—it must be enabled in the console first. Once enabled, everything else can be done via CLI.

Setup Process

1. Enable IAM Identity Center

In the AWS Console, navigate to IAM Identity Center and enable it. Note your SSO start URL from the dashboard.

2. Create a User

Add a user in IAM Identity Center. They'll receive an email invitation to set their password. Also send the email verification from the user's profile in the console.

3. Configure Permission Sets

I organized permission sets by AWS service domain, mirroring my Terraform module structure:

Permission Sets:
├── terraform-core          # S3 state, tagging, read-only
├── terraform-storage       # S3, EBS, EFS
├── terraform-compute       # EC2, Lambda, ECS
├── terraform-iam           # IAM roles/policies (scoped)
├── terraform-networking    # VPC, subnets, security groups
├── terraform-database      # RDS, DynamoDB, ElastiCache
├── terraform-serverless    # Lambda, API Gateway, EventBridge
└── terraform-monitoring    # CloudWatch, X-Ray, CloudTrail

4. Assign to AWS Accounts

Go to AWS Accounts in IAM Identity Center and assign your user/group to your account with the appropriate permission sets.

5. Configure AWS CLI

aws configure sso

You'll be prompted for:

  • SSO start URL
  • SSO region
  • A browser will open for authentication
  • MFA setup (required)
  • Profile name (e.g., terraform-dev)

The Complete Flow

1. aws sso login --profile terraform-dev
   ↓
2. Browser opens → You authenticate
   ↓
3. Select AWS account
   ↓
4. Select role (your permission set)
   ↓
5. CLI asks for region → eu-central-1
   ↓
6. CLI asks for output format → json
   ↓
7. CLI asks for profile name → terraform-dev
   ↓
8. ✅ Configuration saved to ~/.aws/config

Using with Terraform

Reference your SSO profile in the provider configuration:

provider "aws" {
  region  = "eu-central-1"
  profile = "terraform-dev"
}

Before running Terraform:

aws sso login --profile terraform-dev
terraform init
terraform plan
terraform apply

Benefits

  • No hardcoded credentials — No access keys in environment variables or config files
  • Temporary credentials — SSO tokens expire automatically
  • Centralized management — All access controlled from IAM Identity Center
  • MFA built-in — Multi-factor authentication required
  • Audit trail — All SSO logins logged in CloudTrail
  • Role-based access — Easy to manage via permission sets

Conclusion

Setting up AWS SSO adds initial complexity but provides significant security benefits. It aligns with enterprise practices and demonstrates operational maturity—exactly what you want to show when targeting platform engineering roles.

The approach scales from individual projects to team environments, making it a solid foundation for any Terraform-based infrastructure.