Init AWS credentials with hyops init aws

Purpose: Initialise AWS runtime credentials so Terraform/Terragrunt AWS stacks can run. Owner: Platform operations Trigger: First-time environment bootstrap, new workstation/runner, or credential rotation. Impact: Without AWS credentials, AWS stacks cannot apply. Severity: P3 Pre-reqs: aws CLI installed; account access to target AWS resources. Rollback strategy: Remove the generated credentials file under <root>/credentials/ and re-run init.

---

Context

hyops init aws writes:

• Non-secret config: <root>/config/aws.conf
• Sensitive credentials: <root>/credentials/aws.credentials.tfvars (mode 0600)
• Readiness marker: <root>/meta/aws.ready.json

Credential resolution order:

1. CLI flags (--access-key-id, --secret-access-key, --session-token)
2. Shell env (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN)
3. Runtime vault keys with same names

AWS_REGION/AWS_DEFAULT_REGION and AWS_PROFILE are also respected.

---

Preconditions and safety checks

• Ensure you are targeting the correct environment:

  echo "HYOPS_ENV=$HYOPS_ENV"
  

• Confirm required tool exists:

  command -v aws
  

• If using runtime vault secrets (recommended):

  hyops vault status-verbose
  

• Confirm AWS identity works before init:

  aws sts get-caller-identity
  

---

Steps

1) Generate the config template (first run only)

• Command:

  hyops init aws --env dev
  

• Expected result:

• If config is missing, HyOps writes <root>/config/aws.conf and exits with guidance.
• Edit and re-run.

2) Interactive workstation flow

• If you use AWS SSO profile:

  aws configure sso --profile hybridops-dev
  aws sso login --profile hybridops-dev
  hyops init aws --env dev --profile hybridops-dev
  

• Or allow HyOps to attempt SSO login when STS fails:

  hyops init aws --env dev --profile hybridops-dev --with-cli-login
  

3) Non-interactive/CI flow

• Export credentials in runner environment (or inject via secret manager), then run:

  hyops init aws --env dev --non-interactive
  

• Vault-backed alternative:

  hyops secrets set --env dev --from-env AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
  hyops init aws --env dev --non-interactive
  

---

Verification

• Confirm readiness marker exists:

  cat ~/.hybridops/envs/dev/meta/aws.ready.json
  

• Confirm credentials file exists and is protected:

  ls -la ~/.hybridops/envs/dev/credentials/aws.credentials.tfvars
  

---

Troubleshooting

ERR: AWS identity validation failed; see evidence

• Confirm credentials/profile:

  aws sts get-caller-identity
  

• If using SSO, login first:

  aws sso login --profile <profile>
  

• Re-run init (optionally with --with-cli-login).

ERR: credentials file already exists (use --force ...)

• Re-run with overwrite:

  hyops init aws --env dev --force
  

Preflight shows missing AWS credentials after init

• Confirm file path:
• ~/.hybridops/envs/<env>/credentials/aws.credentials.tfvars
• Confirm module spec requires AWS credentials and you are using matching env (--env).

---

References

• Init annex: AWS
• Init contract
• Secrets lifecycle

---

Maintainer: HybridOps.Studio License: MIT-0 for code, CC-BY-4.0 for documentation