Update tf s3 backend instructions for better ec2 credential behaviour (#871)

sjpb · web-flow · commit 3d067465d0e6 · 2025-12-19T16:44:47.000Z
* update tf s3 backend instructions for better ec2 cred behaviour

* avoid tokens existing for longer than requried

* fix token revocation
diff --git a/docs/opentofu-remote-state.md b/docs/opentofu-remote-state.md
@@ -127,8 +127,6 @@ per-checkout configuration is required.
    openstack ec2 credentials create
    ```
 
-   and make a note of the `access` field returned.
-
 3. Create the backend file:
 
    ```shell
@@ -144,13 +142,19 @@ per-checkout configuration is required.
 5. Add the following to `environments/$ENV/activate`:
 
    ```bash
-   export AWS_ACCESS_KEY_ID=$EC2_CREDENTIALS_ACCESS
-   export AWS_SECRET_ACCESS_KEY=$(openstack ec2 credentials show $AWS_ACCESS_KEY_ID -f value -c secret)
+   # Get current openstack project:
+   TOKEN_DATA=$(openstack token issue -f json)
+   PROJECT_ID=$(echo "$TOKEN_DATA" | jq -r '.project_id')
+   TOKEN_ID=$(echo "$TOKEN_DATA" | jq -r '.id')
+   openstack token revoke $TOKEN_ID
+   
+   # Get first creds in current project:
+   EC2_CREDS=$(openstack ec2 credentials list -f json | jq -r --arg pid "$PROJECT_ID" '.[] | select(.["Project ID"] == $pid) | @json' | head -n 1)
+   # Set creds for OpenTofu s3 backend:
+   export AWS_ACCESS_KEY_ID=$(echo "$EC2_CREDS" | jq -r '.Access')
+   export AWS_SECRET_ACCESS_KEY=$(echo "$EC2_CREDS" | jq -r '.Secret')
    ```
 
-   replacing `$EC2_CREDENTIALS_ACCESS` with the `access` field of the created
-   credentials.
-
    This avoids these credentials being persisted in local files.
 
 6. Copy the lines above into your shell to set them for your current shell.
@@ -180,5 +184,20 @@ For more configuration options, see the OpenTofu [s3 backend docs](https://opent
 
 ### Per-checkout configuration
 
-The ec2 credentials will automatically be loaded when activating the environment.
-For a new checkout simply initialise OpenTofu as normal as described in step 7 above.
+EC2 credentials are per-user and per-project. Check you have credentials for
+the current project using:
+
+```shell
+openstack ec2 credentials list # to show credentials
+openstack project list         # to show project IDs
+```
+
+and if not, create them:
+
+```shell
+openstack ec2 credentials create
+```
+
+The ec2 credentials will then automatically be loaded when activating the
+environment. For a new checkout simply initialise OpenTofu as normal as
+described in step 7 above.
