Ditch Static IAM Keys: Run Terraform with AWS SSO

If your team is still using shared IAM user credentials to run Terraform, it's time to switch to AWS SSO (IAM Identity Center). In this article, I'll walk you through how I migrated our multi-account Terraform setup from a shared deployment IAM user to individual SSO-based authentication for both local development and CI/CD pipelines. Our Previous Setup We had a classic multi-account Terraform setup with three AWS accounts: Shared/management account - Hosted the S3 state bucket, DynamoDB lock table, and custom Terraform modules in S3 Dev account - Development environment Live/prod account - Production environment (with additional live-eu and live-dr workspaces) A single IAM user called deployment lived in the shared account. It had an access key that was shared across the team and stored as GitHub secrets for CI/CD. The Terraform provider used assume_role to switch into the target account: provider "aws" { region = "us-east-1" assume_role { role_arn = "arn:aws:iam::<account_id>:role/de