AWS credentials should be in TF vars

[ggreer]

AWS key, secret, & STS token are currently in environment vars. This makes it really hard to apply/destroy a cluster that a user created with the GUI installer. These should be TF vars like region.

[alexsomesan]

This opens up the same conversation like we had for the tectonic license and quay pull secreted.
I don't think credentials in configuration are any kind of good practice. Region is not a part of the credentials set.

In the case of using an impersonated role, Terraform itself can do that impersonation, so there's no need to struggle with injecting these three values. They're also refreshed on every run, so no more annoying expired sessions.

If we want to streamline the credentials injection story, I think this is a better path to follow. Ask users to have a role available and put that role in tfvars to be passed to the provider.

Did I mention that credentials in configuration are bad practice? :)

[philips]

Has there been reported friction on this from users on having environment variables used? It seems like the normal flow for AWS and Terraform.

[Quentin-M]

@sym3tri @robszumski Are we doing this?

[robszumski]

There is some friction, but it sounds like this is normal. Of course, throwing secrets in the file needs to be very controlled. Sounds like we should skip for now.

[sym3tri]

Discussed a plan IRL. Closing out and will create new issue with the plan.