Terraformcloud~3 mins

Why Least privilege for Terraform service accounts? - Purpose & Use Cases

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

The Big Idea

What if one small permission mistake could bring down your entire cloud setup?

The Scenario

Imagine you have a team managing cloud resources manually, and each person uses a shared account with full access to everything.

One day, someone accidentally deletes a critical server or changes settings they shouldn't.

Fixing this takes hours and causes downtime.

The Problem

Using broad access for service accounts is risky and slow.

It's easy to make mistakes that affect many resources.

Tracking who did what becomes confusing.

Security risks increase because one compromised account can cause big damage.

The Solution

Applying least privilege means giving Terraform service accounts only the exact permissions they need.

This limits mistakes and damage if something goes wrong.

It also helps track actions clearly and improves overall security.

Before vs After

✗ Before

resource "aws_iam_role" "terraform" {
  name = "terraform-full-access"
  assume_role_policy = "..."
  managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
}

✓ After

resource "aws_iam_role" "terraform" {
  name = "terraform-limited-access"
  assume_role_policy = "..."
  managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/AmazonEC2FullAccess"]
}

What It Enables

It enables safer, clearer, and more reliable cloud infrastructure management with Terraform.

Real Life Example

A company uses a Terraform service account that can only create and update storage buckets but cannot delete databases.

This prevents accidental data loss while allowing automation.

Key Takeaways

Manual broad access leads to mistakes and security risks.

Least privilege limits permissions to what is needed.

This improves safety, clarity, and control in cloud management.