# terraform-identity

Part of **TERRAFORM**

<!-- intent-backlink:auto -->

> 💡 **Path Selection**: This skill is one implementation path for [Configure Terraform authentication with cloud provider](../../intent/terraform-manage-authentication/SKILL.md). If you're unsure which path to take, check the routing skill first.

# Terraform Identity Management Console Guide

## Operations Overview

| Operation | Console Entry Path | Prerequisites | Description |
|----------|-------------------|--------------|-------------|
| Manage AccessKey Pairs in Multi-Account Environment | Console > Resource Directory > Multi-Account Management | - Alibaba Cloud account with Resource Directory enabled<br>- Permissions to create IAM roles and policies<br>- Access to both operations and management accounts<br>- Terraform installed locally or in CI/CD | Securely manage long-term credentials by using ECS instance roles and STS temporary tokens across multiple accounts via Terraform automation. |

## Step-by-Step Instructions

### Manage AccessKey Pairs in Multi-Account Environment

**Navigation**: Console > Resource Directory > Multi-Account Management

**Prerequisites**:
- An Alibaba Cloud account with Resource Directory enabled
- Permissions to create IAM roles and policies
- Access to the operations account and management account
- Terraform installed on the local machine or CI/CD environment

1. Navigate to the **Resource Directory** service and open **Multi-Account Management**.
   - Element: **Resource Directory** (link) — left navigation panel
   - Notes: Ensure you are logged into the operations account.

2. Create a new IAM role for use with ECS instances.
   - Element: **Create Role** (button) — top-right corner
   - Notes: A new role creation wizard opens in a dialog.

3. In the role creation wizard, specify the role name as `ecs-role`.
   - Element: **Role Name** (text_input) — main content area
   - Notes: This exact name is required for Terraform scripts to function correctly.

4. Select the trusted entity type for the role.
   - Element: **Trusted Entity Type** (dropdown) — main content area
   - Options: Choose **Alibaba Cloud service**
   - Notes: This allows Alibaba Cloud services like ECS to assume the role.

5. Complete role creation and navigate to the role detail page.
   - Element: **OK** (button) — bottom of dialog
   - Notes: After creation, you are redirected to the role list; click the **ecs-role** entry to open its configuration page.

6. Configure the trust policy to allow the operations account to assume this role.
   - Element: **Trust Policy** (tab) — main content area
   - Notes: Edit the policy JSON to include the operations account ID (e.g., `"463"`) as the principal.

7. Launch an ECS instance in the same region and bind it to the `ecs-role`.
   - Element: **Create Instance** (button) — left navigation panel under ECS service
   - Notes: During instance creation, proceed to the **Instance Details** step.

8. Assign the instance role during ECS creation.
   - Element: **Instance Role** (dropdown) — Instance Details section
   - Options: Select **ecs-role**
   - Notes: This grants the ECS instance permissions to call STS APIs without embedding AccessKeys.

9. After the ECS instance is running, execute Terraform scripts from within the instance to deploy automation roles in the management account.
   - Element: **Run Terraform Script** (button) — not a UI element; executed via command line inside the ECS instance
   - Notes: No further console interaction is needed for this step. The script uses the instance’s temporary credentials to assume roles in the management account.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Role Name | text_input | Yes | — | Unique name for the IAM role (e.g., ecs-role). |
| Trusted Entity Type | dropdown | Yes | Alibaba Cloud service, Alibaba Cloud account | Specifies what entity can assume this role. |
| Account ID | text_input | Yes | — | The ID of the account that is allowed to assume the role. |

## FAQ

Q: Where do I find the Resource Directory console?
A: Log in to the Alibaba Cloud console at https://home.console.aliyun.com, then navigate to **Resource Directory** under the **Management & Governance** category.

Q: Can I change the instance role after the ECS instance is created?
A: Yes, you can modify the instance role by stopping the instance, editing its attributes, and selecting a new role from the **Instance Role** dropdown before restarting.

Q: What permissions does the `ecs-role` need?
A: The role must have permissions to call the STS `AssumeRole` API. Attach a custom policy or the built-in **AliyunSTSAssumeRoleAccess** policy.

Q: Do I need to store AccessKey pairs in my Terraform code when using this method?
A: No. This approach eliminates the need for long-term credentials in code by using temporary STS tokens obtained via the ECS instance role.

Q: How often are STS tokens rotated when using an instance role?
A: Temporary credentials are automatically rotated every 6 hours by the ECS metadata service; no manual intervention is required.

## Pricing & Billing

### Billing Model
STS AssumeRole requests are billed on a per-request basis.

### Price Reference
| Tier | Input Price |
|------|-------------|
| STS AssumeRole request | 0.0001 / |

### Free Tier
 1000 STS AssumeRole API

### Billing Notes
STS token usage is billed per request; long-lived credentials incur higher risk and potential cost if misused.