Skip to content

Commit 2e3fb3f

Browse files
sjpbsjpb
committed
update tf s3 backend instructions for better ec2 cred behaviour
1 parent ef9ca2a commit 2e3fb3f

File tree

1 file changed

+24
-9
lines changed

1 file changed

+24
-9
lines changed

docs/opentofu-remote-state.md

Lines changed: 24 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -127,8 +127,6 @@ per-checkout configuration is required.
127127
openstack ec2 credentials create
128128
```
129129

130-
and make a note of the `access` field returned.
131-
132130
3. Create the backend file:
133131

134132
```shell
@@ -144,13 +142,15 @@ per-checkout configuration is required.
144142
5. Add the following to `environments/$ENV/activate`:
145143

146144
```bash
147-
export AWS_ACCESS_KEY_ID=$EC2_CREDENTIALS_ACCESS
148-
export AWS_SECRET_ACCESS_KEY=$(openstack ec2 credentials show $AWS_ACCESS_KEY_ID -f value -c secret)
145+
# Get current openstack project:
146+
PROJECT_ID=$(openstack token issue -f value -c project_id)
147+
# Get first creds in current project:
148+
EC2_CREDS=$(openstack ec2 credentials list -f json | jq -r --arg pid "$PROJECT_ID" '.[] | select(.["Project ID"] == $pid) | @json' | head -n 1)
149+
# Set creds for OpenTofu s3 backend:
150+
export AWS_ACCESS_KEY_ID=$(echo "$EC2_CREDS" | jq -r '.Access')
151+
export AWS_SECRET_ACCESS_KEY=$(echo "$EC2_CREDS" | jq -r '.Secret')
149152
```
150153

151-
replacing `$EC2_CREDENTIALS_ACCESS` with the `access` field of the created
152-
credentials.
153-
154154
This avoids these credentials being persisted in local files.
155155

156156
6. Copy the lines above into your shell to set them for your current shell.
@@ -180,5 +180,20 @@ For more configuration options, see the OpenTofu [s3 backend docs](https://opent
180180

181181
### Per-checkout configuration
182182

183-
The ec2 credentials will automatically be loaded when activating the environment.
184-
For a new checkout simply initialise OpenTofu as normal as described in step 7 above.
183+
EC2 credentials are per-user and per-project. Check you have credentials for
184+
the current project using:
185+
186+
```shell
187+
openstack ec2 credentials list # to show credentials
188+
openstack project list # to show project IDs
189+
```
190+
191+
and if not, create them:
192+
193+
```shell
194+
openstack ec2 credentials create
195+
```
196+
197+
The ec2 credentials will then automatically be loaded when activating the
198+
environment. For a new checkout simply initialise OpenTofu as normal as
199+
described in step 7 above.

0 commit comments

Comments
 (0)