Connect Your Cloud Account

env0 applies your Terraform code to create resources in your own cloud account. Here you will learn how to give env0 the required permissions for that.

The exact steps depend on which cloud provider you are using.

Amazon Web Services

env0 offers two ways for you to connect to your AWS account:

  1. Using AWS Assume Role
  2. Using IAM user credentials

Using AWS Assume Role

This role will be assumed by env0 to obtain credentials for Terraform.
It will require all permissions required by Terraform, including GetAccessKeyInfo.

Create an AWS IAM Role

  1. Click on Roles -> Create Role
  2. Under type of trusted entity select Another AWS Account
  3. Under Account ID enter 913128560467, if you have a Self-hosted agent installation you should enter the AWS account ID where the agent is installed.
  4. Select Require external ID
  5. Enter an External ID of your choosing - consider this like a password env0 will use in order to assume the role.
  6. Click Next:Permissions
  7. Select AdministratorAccess or whatever policy required by your Terraform
  8. Click Next:Review
  9. Enter a name for the role, and click Create Role
  10. Click on the Role you just created - We will need the Role ARN and the External ID in subsequent steps.
  11. On the created Role screen, look for Maximum session duration and click Edit. Select Custom Duration and enter "18000" (5 hours) - that time matches the maximum allowed deployment time on env0.

Add your Role ARN and External ID configuration to env0

  1. Go to the Organization Settings page, and pick the "Credentials" tab
  2. Under the Cloud Credentials section, click + Add Credential
Organization Variables MenuOrganization Variables Menu

Organization Variables Menu

  1. Enter a name for the new credential.
  2. Under "Role ARN", enter your role ARN.
  3. Under "External ID", enter the value of your Role's External ID
  4. Click Add

📘

External ID in a Self-Hosted Agent

If your organization is managed in a Self-Hosted Agent, then you can use an SSM reference instead of writing down the actual secret external ID. Simply use the following format ${ssm:path/to/external-id} instead.

  1. Go to the project which you'd like to use this role, and then go to "Project Settings" -> "Credentials" tab
  2. Pick the credential you would like to use in this project, and then click on Save

📘

Change Assumed Role per Environment

If you'd like to override the project's Assumed Role, and use a different Assumed Role for a specific environment, you can create environment variables when deploying the environment, which will allow you to assume a different role.
Create a variable called ENV0_AWS_ROLE_ARN, and set its value to be the role. Then, create another variable called ENV0_AWS_ROLE_EXTERNAL_ID, set its value to be the secret external ID, and mark the variable as sensitive

Using AWS user credentials

Create IAM Role & Permissions

  1. In order to connect your AWS account, you will need to create an IAM user with programmatic access. See this guide on how to do that. Make sure you save your Access Key ID and Secret Access Key.
  2. You will need to grant this user the appropriate permissions in order to deploy the resources defined in your Terraform code.

Add Your Credentials to env0

  1. Go to the Organization Variables page
Organization Variables MenuOrganization Variables Menu

Organization Variables Menu

  1. Under the Environment Variables section, click + Add Variable
  2. Add a variable with the key AWS_ACCESS_KEY_ID, and the value of your Access Key ID.
  3. Add another variable, this one with the key AWS_SECRET_ACCESS_KEY. Enter the value of your Secret Access Key, and mark this one as Sensitive.
  4. Click Save

NOTE: You may also configure these variables on other, lower level variable scopes

Add AWS CredentialsAdd AWS Credentials

Add AWS Credentials

Google Cloud

Create a Service Account

  1. In order to connect your GCS account, you will need to create a Service Account Key. See this guide on how to create one. Make sure to save the JSON key contents.

Add Your Credentials to env0

  1. Go to the Organization Variables page
Organization Variables MenuOrganization Variables Menu

Organization Variables Menu

  1. Under the Environment Variables section, click + Add Variable
  2. Add a variable with the key GOOGLE_PROJECT. The value should be the name of your GCS Project.
  3. Add another variable, this one with the key GOOGLE_CREDENTIALS. Copy-paste the JSON key contents directly into the value of this variable. Mark it as Sensitive.
  4. Click Save

NOTE: You may also configure these variables on other, lower level variable scopes

Add GCP CredentialsAdd GCP Credentials

Add GCP Credentials

Azure

Create a Service Principal

  1. In order to connect your Azure account, you will need to create a Service Principal. Follow these steps on how to create one.

Add Your Credentials to env0

  1. Go to the Organization Variables page
Organization Variables MenuOrganization Variables Menu

Organization Variables Menu

  1. Under the Environment Variables section, click + Add Variable
  2. Add the following variables -
    1. Key ARM_SUBSCRIPTION_ID - Value is your subscription ID.
    2. Key ARM_CLIENT_ID - Value is your service principal app ID.
    3. Key ARM_CLIENT_SECRET - Value is your service principal password. Mark this one as sensitive.
    4. Key ARM_TENANT_ID - Value is your service principal tenant ID.
  3. Click Save

NOTE: You may also configure these variables on other, lower level variable scopes

Add Azure CredentialsAdd Azure Credentials

Add Azure Credentials

Other Cloud Providers

If you are using Terraform to manage infrastructure in a different provider than the ones mentioned above, you will need to check the provider documentation to understand what authentication options the provider supports.

Defining Scopes

Cloud access is defined in env0 using variables, which can be defined in several scopes. This guide defined those variables in an Organizational scope, meaning they can be used by any environment in the organization. Learn more about variables in env0.


Did this page help you?