Account-map migration: Components with multiple aws providers / provider aliases that assume roles?

[seanlongnyc]

When migrating to the new account-map: How are we expected to configure auth for components that have multiple (aws) providers and use the account-map/iam-roles ? for example: https://github.com/cloudposse-terraform-components/aws-tgw-spoke/blob/main/src/provider-hub.tf#L8

[milldr]

Hey @seanlongnyc. Good question. This is one of the trickier parts of the migration.

For components that need multiple AWS providers (like dns-delegated needing access to the primary DNS account, or the old tgw-spoke needing access to the hub account), the approach in v2 is to specify the AWS profile for the alternate provider directly. The key is that the profile must already be initialized in your local AWS config, meaning you've already authenticated to that alternate identity via atmos auth login before running Atmos against the target identity. Therefore, for now we have to disable those components from GitHub Actions

So the workflow is log in with Atmos to the alternate identity first (which creates the profile in your local AWS config), and then when you run Atmos for the target component, the alternate provider can reference that profile by name.

For a working example, take a look at how the dns-delegated component handles this. Specifically, the mixins/providers-dns-primary.tf file shows how the aws.primary provider is configured with a profile to authenticate against the primary DNS account.

That said, this clearly isn't ideal. We would like to support multiple identities for a single component natively in Atmos (so you wouldn't need to pre-authenticate separately), but that is not yet implemented. For now, the profile-based approach is the recommended workaround.