To use driftctl, we need credentials to make authenticated requests to AWS. Just like the AWS CLI, we use credentials and configuration settings declared as user environment variables, or in local AWS configuration files.
driftctl supports named profile. By default, the CLI uses the settings found in the profile named
default. You can override an individual setting by declaring the supported environment variables such as
If you are using an IAM role as an authorization tool, which is considered a good practice, please be aware that you can still use driftctl by defining a profile for the role in your
You can now use driftctl by overriding the profile setting.
You will find below our custom role that you can assume to run driftctl written in HCL.
Deploy this CloudFormation template to create our limited permission role that you can use as per our above authentication guide.
Once the stack is deployed, you need to attach the following policy to your IAM User which will allow him to assume only the role. For more information about granting a user access to assume a role, see the official IAM User Guide.
It does not exist an automatic way to update the CloudFormation template from our side because you launched this template on your AWS account. That's why you must be the one to update the template to be on the most recent driftctl role.
Find below two ways to update the CloudFormation template:
- With the AWS console
- In the AWS CloudFormation console, from the list of stacks, select the driftctl stack
- In the stack details pane, choose Update
- Select Replace current template and specify our Amazon S3 URL
https://driftctl-cfn-templates.s3.eu-west-3.amazonaws.com/driftctl-role.yml, click Next
- On the Specify stack details and the Configure stack options pages, click Next
- In the Change set preview section, check that AWS CloudFormation will indeed make changes
- Since our template contains one IAM resource, select I acknowledge that this template may create IAM resources
- Finally, click Update stack
- With the AWS CLI
driftctl needs access to your cloud provider account so that it can list resources on your behalf.
As AWS documentation recommends, the below policy is granting only the permissions required to perform driftctl's tasks.