How do I migrate Terraform to AWS SSO from IAM keys?

Configure SSO profiles per account in ~/.aws/config. Add `profile=shared-account` to S3 backend. Update bucket policy for cross-account. Reinit Terraform. Swap CI/CD to OIDC.

Does AWS SSO work with GitHub Actions for Terraform?

Yes—use aws-actions/configure-aws-credentials with role-to-assume and OIDC. No secrets needed.

What if my Terraform state is in a shared account?

Backend profile points to shared SSO profile. S3/DynamoDB calls use it; provider uses target account creds.

⚙️ DevOps & Platform Eng

Static IAM Keys Are a Terraform Trap: The AWS SSO Switch Every Team Needs

Teams clung to shared IAM keys for Terraform like a security blanket. AWS SSO rips it away—forcing real accountability without the chaos.

theAIcatchup Apr 09, 2026 3 min read

Terraform AWS provider config switching from assume_role to SSO profiles

⚡ Key Takeaways

Ditch shared IAM keys for SSO to restore CloudTrail accountability. 𝕏
Backend profile trick enables multi-account state without assume_role. 𝕏
OIDC in GitHub Actions eliminates static secrets entirely. 𝕏

Published by

theAIcatchup

Ship faster. Build smarter.

#AWS OIDC CI/CD #AWS SSO #GitHub Actions OIDC #IAM Identity Center #Multi-account AWS #Terraform #Terraform AWS SSO #multi-account Terraform

Worth sharing?

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by dev.to

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

Proxmox Terraform's Delete Failures: The curl-jq Hack That Actually Works

Terraform Dependencies: Implicit Magic or Explicit Must-Have?

Terraform's Quiet Revolution Against Console Hell

Ditch AWS Console Chaos: Build a Rock-Solid VPC with Terraform in 45 Minutes

Stay in the loop