OpenMCF logoOpenMCF

Loading...

AWS Provider Setup

This guide covers everything you need to authenticate OpenMCF with AWS. It applies to all AWS deployment components: AwsRdsInstance, AwsS3Bucket, AwsEksCluster, AwsVpc, and others.

For a quick reference of all provider credentials, see Credentials.

Prerequisites

  • An AWS account with permissions to create IAM users or roles
  • The AWS CLI installed (recommended, not required)

Authentication Methods

Method 1: Environment Variables

Set the standard AWS environment variables. Both OpenMCF and the underlying IaC engines (Pulumi, Terraform, OpenTofu) read them automatically:

export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_REGION="us-west-2"

openmcf pulumi up -f ops/aws/database.yaml
VariableRequiredDescription
AWS_ACCESS_KEY_IDYes20-character key starting with AKIA (long-term) or ASIA (temporary)
AWS_SECRET_ACCESS_KEYYes40-character secret key
AWS_REGIONYesAWS region (e.g., us-west-2, eu-central-1)
AWS_SESSION_TOKENNoSession token for temporary credentials from STS
AWS_PROFILENoNamed profile from ~/.aws/credentials

Method 2: AWS CLI Profiles

If you manage multiple AWS accounts, use named profiles:

# Configure a named profile
aws configure --profile production
# Enter access key, secret key, and region when prompted

# Use the profile with OpenMCF
export AWS_PROFILE=production
openmcf pulumi up -f ops/aws/database.yaml

Method 3: Provider Config File (-p)

Pass credentials explicitly using the -p flag with a YAML file. The file format matches the AwsProviderConfig Protocol Buffer definition:

# aws-credential.yaml
account_id: "123456789012"
access_key_id: "AKIAIOSFODNN7EXAMPLE"
secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
region: "us-west-2"

Deploy using the -p flag:

openmcf pulumi up -f ops/aws/database.yaml -p aws-credential.yaml

The CLI validates the config file against the proto schema, then converts the fields to environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION) for the IaC engine subprocess.

Fields in the provider config file:

FieldRequiredDescription
account_idYesAWS account ID (numeric string)
access_key_idYes20-character access key
secret_access_keyYes40-character secret key
regionYesAWS region
session_tokenNoSTS session token for temporary credentials

All field names use snake_case, matching the protobuf definition at apis/org/openmcf/provider/aws/provider.proto.

Method 4: IAM Roles (EC2, ECS, Lambda)

When running on AWS compute, use IAM roles instead of access keys. The AWS SDK automatically retrieves credentials from the instance metadata service:

# No credential configuration needed
# Ensure the EC2 instance, ECS task, or Lambda function has an IAM role attached
openmcf pulumi up -f ops/aws/database.yaml

This is the most secure method for production workloads running on AWS.

Creating IAM Credentials

IAM User for Local Development

# Create an IAM user
aws iam create-user --user-name openmcf-deployer

# Create access keys
aws iam create-access-key --user-name openmcf-deployer

# Output includes AccessKeyId and SecretAccessKey
# Store these securely — the secret key is shown only once

IAM User for CI/CD

For CI/CD pipelines, create a dedicated IAM user with programmatic access:

# Create user
aws iam create-user --user-name openmcf-ci

# Create access keys
aws iam create-access-key --user-name openmcf-ci

# Attach a policy (see Least-Privilege Policies below)
aws iam attach-user-policy \
  --user-name openmcf-ci \
  --policy-arn arn:aws:iam::123456789012:policy/OpenMCFDeployerPolicy

Store the access key and secret key in your CI/CD platform's secret management (GitHub Actions secrets, GitLab CI variables, etc.).

Least-Privilege Policies

Grant only the permissions required for the resources you deploy. Here are starting points for common components.

S3 Bucket (AwsS3Bucket)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy",
        "s3:GetBucketVersioning",
        "s3:PutBucketVersioning",
        "s3:GetEncryptionConfiguration",
        "s3:PutEncryptionConfiguration",
        "s3:GetBucketTagging",
        "s3:PutBucketTagging",
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

RDS Instance (AwsRdsInstance)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:CreateDBInstance",
        "rds:DeleteDBInstance",
        "rds:DescribeDBInstances",
        "rds:ModifyDBInstance",
        "rds:CreateDBSubnetGroup",
        "rds:DeleteDBSubnetGroup",
        "rds:DescribeDBSubnetGroups",
        "rds:AddTagsToResource",
        "rds:ListTagsForResource"
      ],
      "Resource": "*"
    }
  ]
}

VPC (AwsVpc)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpc",
        "ec2:DeleteVpc",
        "ec2:DescribeVpcs",
        "ec2:ModifyVpcAttribute",
        "ec2:CreateSubnet",
        "ec2:DeleteSubnet",
        "ec2:DescribeSubnets",
        "ec2:CreateInternetGateway",
        "ec2:DeleteInternetGateway",
        "ec2:AttachInternetGateway",
        "ec2:DetachInternetGateway",
        "ec2:DescribeInternetGateways",
        "ec2:CreateRouteTable",
        "ec2:DeleteRouteTable",
        "ec2:CreateRoute",
        "ec2:DescribeRouteTables",
        "ec2:AssociateRouteTable",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:DescribeTags"
      ],
      "Resource": "*"
    }
  ]
}

For broader deployments across multiple component types, start with the PowerUserAccess managed policy and narrow permissions as you identify the exact resources being created.

Verifying Credentials

# Check if credentials are configured
aws sts get-caller-identity

# Expected output:
# {
#   "UserId": "AIDAIOSFODNN7EXAMPLE",
#   "Account": "123456789012",
#   "Arn": "arn:aws:iam::123456789012:user/openmcf-deployer"
# }

If this command succeeds, OpenMCF can use the same credentials.

Troubleshooting

"Unable to locate credentials"

The AWS SDK cannot find credentials. Check:

# Are environment variables set?
env | grep AWS

# Is there a credentials file?
cat ~/.aws/credentials

# Is the profile correct?
echo $AWS_PROFILE

"Access Denied" or "UnauthorizedAccess"

The credentials are valid but lack the required permissions:

# Check which user/role the credentials belong to
aws sts get-caller-identity

# List attached policies
aws iam list-attached-user-policies --user-name <username>

# Check inline policies
aws iam list-user-policies --user-name <username>

Add the necessary IAM permissions for the resources you are deploying.

"ExpiredToken" or "ExpiredTokenException"

Temporary credentials (from aws sts assume-role or SSO) have expired:

# Re-authenticate
aws sso login --profile <profile-name>

# Or re-assume the role
aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/DeployerRole \
  --role-session-name openmcf-session

Provider Config File Validation Error

The -p YAML file does not match the expected format:

  • Field names must use snake_case: access_key_id, not accessKeyId
  • account_id must contain only digits
  • access_key_id must be exactly 20 characters starting with AKIA or ASIA
  • secret_access_key must be exactly 40 characters

What's Next

  • Credentials — Quick reference for all providers
  • GCP Provider Setup — Configure GCP credentials
  • Azure Provider Setup — Configure Azure credentials
  • CI/CD Integration — Use AWS credentials in pipelines

Next article

GCP Provider Setup

GCP Provider Setup This guide covers everything you need to authenticate OpenMCF with Google Cloud Platform. It applies to all GCP deployment components: GcpCloudSql, GcpGkeCluster, GcpGcsBucket, GcpCloudRun, and others. For a quick reference of all provider credentials, see Credentials. Prerequisites A GCP project with billing enabled The gcloud CLI installed (recommended, not required) Authentication Methods Method 1: Application Default Credentials (Local Development) The fastest way to get...
Read next article