I am currently using Terraform with S3 remote state. The IAM user that I'm using to run Terraform exists in the same AWS account as the S3 bucket holding the remote state files. This is all working fine.
However, I have IAM users in other AWS accounts (all part of the same AWS organization) and I want to grant them access to use terraform in the main account. It seems like I should be able to do this with IAM roles. I've created an IAM Role in the main account, and I've configured the assume_role attribute of the aws provider to assume a role in the main AWS account.
However, this approach fails because the user in the other AWS account doesn't have access to the remote state files in S3. I've tried granting access to the remote state files to the IAM role, but terraform apparently tries to fetch state before the aws provider is loaded and the new IAM role is assumed.
Is there any way to grant access to the remote state files in S3? Or more generally, is there any way to allow users across multiple AWS accounts to perform terraform operations across the same multiple AWS accounts, even though sometimes the S3 remote state will be located in a different account?