Docs/ Use Terraform and CDK with Hardware-Verified Credentials

Use Terraform and CDK with Hardware-Verified Credentials

Use CDK, Terraform, SAM, and other IaC tools with Vouch

IaC tools like Terraform, CDK, and SAM need AWS credentials to provision infrastructure. If those credentials are long-lived access keys, a compromised dev machine could modify production infrastructure. If they’re shared across the team, there’s no audit trail showing who deployed what.

If a tool reads ~/.aws/config, it already works with Vouch. The credential_process setting in your Vouch AWS profile is picked up by the AWS SDK, which means every IaC tool that uses the SDK gets hardware-verified credentials automatically. No plugins or wrappers needed.

AWS CDK

cdk deploy --profile vouch

CDK has known issues with SSO credential discovery (#23520, #21328) that credential_process avoids entirely.

AWS SAM

sam deploy --profile vouch

Terraform

# Set the AWS profile for the session
export AWS_PROFILE=vouch
terraform plan
terraform apply

This works for the AWS provider’s authentication. Terraform Cloud registry auth is separate and not handled by Vouch.

AWS Copilot

export AWS_PROFILE=vouch
copilot deploy

AWS Amplify

export AWS_PROFILE=vouch
amplify push

With Vouch, you can skip amplify configure entirely – there is no need to generate long-lived IAM access keys for local development. The credential_process in your Vouch profile provides credentials on demand.

Pulumi

export AWS_PROFILE=vouch
pulumi up

Tips

Setting AWS_PROFILE vs --profile

Some tools accept --profile vouch as a flag, while others only read the AWS_PROFILE environment variable. Setting the environment variable works universally:

export AWS_PROFILE=vouch

Add this to your shell profile (.bashrc, .zshrc) to make it the default for all sessions.

Multiple accounts

If you deploy to multiple AWS accounts, set up separate Vouch profiles for each:

vouch setup aws --role arn:aws:iam::111111111111:role/VouchDeveloper --profile vouch-dev
vouch setup aws --role arn:aws:iam::222222222222:role/VouchDeveloper --profile vouch-prod

Then specify the profile per command:

cdk deploy --profile vouch-dev
cdk deploy --profile vouch-prod