Skip to content

Commit 4f8142c

Browse files
carchi1acarchi1a
authored
docs: Correct flag and environment variable names for AWS OIDC authentication (#4785)
Fixes #4774
1 parent 985de73 commit 4f8142c

File tree

3 files changed

+12
-12
lines changed

3 files changed

+12
-12
lines changed

docs-starlight/src/content/docs/03-features/09-authentication.md

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -40,16 +40,16 @@ To avoid these frustrating trade-offs, you can configure Terragrunt to assume an
4040

4141
## Configuring Terragrunt to assume an IAM role
4242

43-
To tell Terragrunt to assume an IAM role, just set the [`--iam-role`](/docs/reference/cli/commands/run#iam-role) command line argument:
43+
To tell Terragrunt to assume an IAM role, just set the [`--iam-assume-role`](/docs/reference/cli/commands/run#iam-assume-role) command line argument:
4444

4545
```bash
46-
terragrunt apply --iam-role "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
46+
terragrunt apply --iam-assume-role "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
4747
```
4848

49-
Alternatively, you can set the `TG_IAM_ROLE` environment variable:
49+
Alternatively, you can set the `TG_IAM_ASSUME_ROLE` environment variable:
5050

5151
```bash
52-
export TG_IAM_ROLE="arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
52+
export TG_IAM_ASSUME_ROLE="arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
5353
terragrunt apply
5454
```
5555

@@ -67,23 +67,23 @@ Terragrunt will call the `sts assume-role` API on your behalf and expose the cre
6767

6868
## Leveraging OIDC role assumption
6969

70-
In addition, you can combine the `--iam-role` flag with the [`--iam-web-identity-token`](/docs/reference/cli/commands/run#iam-web-identity-token) to use the `AssumeRoleWithWebIdentity` API instead of the `AssumeRole` API.
70+
In addition, you can combine the `--iam-assume-role` flag with the [`--iam-assume-role-web-identity-token`](/docs/reference/cli/commands/run#iam-assume-role-web-identity-token) to use the `AssumeRoleWithWebIdentity` API instead of the `AssumeRole` API.
7171

7272
This is especially convenient in the context of CI/CD pipelines, as it's generally a best practice to assume roles there via OIDC.
7373

74-
Configuring OIDC role assumption largely works like the `--iam-role` flag, with the addition of the `--iam-web-identity-token` flag. One special aspect of the `--iam-web-identity-token` flag is that it can use both a token, and the path to a file containing the token.
74+
Configuring OIDC role assumption largely works like the `--iam-assume-role` flag, with the addition of the `--iam-assume-role-web-identity-token` flag. One special aspect of the `--iam-assume-role-web-identity-token` flag is that it can use both a token, and the path to a file containing the token.
7575

7676
As a command line argument:
7777

7878
```bash
79-
terragrunt apply --iam-role "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME" --iam-web-identity-token "$TOKEN"
79+
terragrunt apply --iam-assume-role "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME" --iam-assume-role-web-identity-token "$TOKEN"
8080
```
8181

8282
As environment variables:
8383

8484
```bash
85-
export TG_IAM_ROLE="arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
86-
export TG_IAM_WEB_IDENTITY_TOKEN="$TOKEN"
85+
export TG_IAM_ASSUME_ROLE="arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
86+
export TG_IAM_ASSUME_ROLE_WEB_IDENTITY_TOKEN="$TOKEN"
8787
terragrunt apply
8888
```
8989

docs-starlight/src/content/docs/04-reference/01-hcl/03-attributes.mdx

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -177,7 +177,7 @@ explicitly redefined in the current's module `terragrunt.hcl` file.
177177

178178
The `iam_role` attribute can be used to specify an IAM role that Terragrunt should assume before invoking OpenTofu/Terraform.
179179

180-
The precedence is as follows: `--iam-role` command line option → `TG_IAM_ASSUME_ROLE` env variable →
180+
The precedence is as follows: `--iam-assume-role` command line option → `TG_IAM_ASSUME_ROLE` env variable →
181181
`iam_role` attribute of the `terragrunt.hcl` file in the module directory → `iam_role` attribute of the included
182182
`terragrunt.hcl`.
183183

@@ -222,7 +222,7 @@ The precedence is as follows: `--iam-assume-role-session-name` command line opti
222222

223223
The `iam_web_identity_token` attribute can be used along with `iam_role` to assume a role using AssumeRoleWithWebIdentity. `iam_web_identity_token` can be set to either the token value (typically using `get_env()`), or the path to a file on disk.
224224

225-
The precedence is as follows: `--iam-web-identity-token` command line option → `TG_IAM_ASSUME_ROLE_WEB_IDENTITY_TOKEN` env variable →
225+
The precedence is as follows: `--iam-assume-role-web-identity-token` command line option → `TG_IAM_ASSUME_ROLE_WEB_IDENTITY_TOKEN` env variable →
226226
`iam_web_identity_token` attribute of the `terragrunt.hcl` file in the module directory → `iam_web_identity_token` attribute of the included
227227
`terragrunt.hcl`.
228228

docs-starlight/src/data/flags/use-partial-parse-config-cache.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
name: use-partial-parse-config-cache
3-
description: Enables caching of includes during partial parsing operations. Will also be used for the --iam-role option if provided.
3+
description: Enables caching of includes during partial parsing operations. Will also be used for the --iam-assume-role option if provided.
44
type: bool
55
env:
66
- TG_USE_PARTIAL_PARSE_CONFIG_CACHE

0 commit comments

Comments
 (0)