AWS Provider

The Amazon Web Services (AWS) provider is used to interact with the many resources supported by AWS. The provider needs to be configured with the proper credentials before it can be used.

Use the navigation to the left to read about the available resources.

Example Usage

# Configure the AWS Provider
provider "aws" {
    access_key = "${var.aws_access_key}"
    secret_key = "${var.aws_secret_key}"
    region = "us-east-1"

# Create a web server
resource "aws_instance" "web" {


The AWS provider offers flexible means of providing credentials for authentication. The following methods are supported, in this order, and explained below:

Static credentials

Static credentials can be provided by adding an access_key and secret_key in-line in the aws provider block:


provider "aws" {
  region     = "us-west-2"
  access_key = "anaccesskey"
  secret_key = "asecretkey"

###Environment variables

You can provide your credentials via AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, environment variables, representing your AWS Access Key and AWS Secret Key, respectively. AWS_DEFAULT_REGION and AWS_SESSION_TOKEN are also used, if applicable:

provider "aws" {}


$ export AWS_ACCESS_KEY_ID="anaccesskey" 
$ export AWS_SECRET_ACCESS_KEY="asecretkey"
$ export AWS_DEFAULT_REGION="us-west-2"
$ terraform plan

###Shared Credentials file

You can use an AWS credentials file to specify your credentials. The default location is $HOME/.aws/credentials on Linux and OSX, or "%USERPROFILE%\.aws\credentials" for Windows users. If we fail to detect credentials inline, or in the environment, Terraform will check this location. You can optionally specify a different location in the configuration by providing shared_credentials_file, or in the environment with the AWS_SHARED_CREDENTIALS_FILE variable. This method also supports a profile configuration and matching AWS_PROFILE environment variable:


provider "aws" {
  region                   = "us-west-2"
  shared_credentials_file  = "/Users/tf_user/.aws/creds"
  profile                  = "customprofile"

###EC2 Role

If you’re running Terraform from an EC2 instance with IAM Instance Profile using IAM Role, Terraform will just ask the metadata API endpoint for credentials.

This is a preferred approach over any other when running in EC2 as you can avoid hardcoding credentials. Instead these are leased on-the-fly by Terraform which reduces the chance of leakage.

You can provide custom metadata API endpoint via AWS_METADATA_ENDPOINT variable which expects the endpoint URL including the version and defaults to

###Assume role

If provided with a role ARN, Terraform will attempt to assume this role using the supplied credentials.


provider "aws" {
  assume_role {
    role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id = "EXTERNAL_ID"

Argument Reference

The following arguments are supported in the provider block:

The nested assume_role block supports the following:

Nested endpoints block supports the following:

Getting the Account ID

If you use either allowed_account_ids or forbidden_account_ids, Terraform uses several approaches to get the actual account ID in order to compare it with allowed/forbidden ones.

Approaches differ per auth providers:

See the source of this document at Terraform.io