Dynamic provider credentials
Important: If you are self-hosting HCP Terraform agents, ensure your agents use v1.7.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.
Using static credentials in your workspaces to authenticate providers presents a security risk, even if you rotate your credentials regularly. Dynamic provider credentials improve your security posture by letting you provision new, temporary credentials for each run.
You can configure dynamic credentials for each HCP Terraform workspace. This workflow eliminates the need to manually manage and rotate credentials across your organization. It also lets you use the cloud platform’s authentication and authorization tools to scope permissions based on metadata, such as a run’s phase, its workspace, or its organization.
How Dynamic Credentials Work
You configure a trust relationship between your cloud platform and HCP Terraform. As part of that process, you can define rules that let HCP Terraform workspaces and runs access specific resources. Then, the following process occurs for each Terraform plan and apply:
- HCP Terraform generates a workload identity token. The token is compliant with OpenID Connect protocol (OIDC) standards and includes information about the organization, workspace, and run stage.
- When a plan or apply begins, HCP Terraform sends the workload identity token to the cloud platform, along with any other information needed to authenticate.
- The cloud platform uses HCP Terraform’s public signing key to verify the workload identity token.
- If verification succeeds, the cloud platform returns a set of fresh temporary credentials for HCP Terraform to use.
- HCP Terraform sets up these credentials within the run environment for the Terraform provider to use.
- The Terraform plan or apply proceeds.
- When the plan or apply completes, the run environment is torn down and the temporary credentials are discarded.
Configure Dynamic Credentials
Using dynamic credentials in a workspace requires the following steps for each cloud platform:
- Set up a Trust Relationship: You must configure a relationship between HCP Terraform and the other cloud platform. The exact details of this process will be different depending on the cloud platform.
- Configure Cloud Platform Access: You must configure roles and policies for the cloud platform to define the workspace’s access to infrastructure resources.
- Configure HCP Terraform Workspace: You must add specific environment variables to your workspace to tell HCP Terraform how to authenticate to the other cloud platform during plans and applies. Each cloud platform has its own set of environment variables to configure dynamic credentials.
The process for each step is different for each cloud platform. Refer to the cloud platform configuration instructions for full details. You can configure dynamic credentials for the following platforms:
You can also use Vault to generate credentials for AWS, GCP, or Azure by setting up Vault-backed dynamic credentials, which take advantage of Vault's secrets engines to generate temporary credentials.
Terraform Enterprise Specific Requirements
External Access to Metadata Endpoints
In order to verify signed JWTs, cloud platforms must have network access to the following static OIDC metadata endpoints within TFE:
/.well-known/openid-configuration
- standard OIDC metadata./.well-known/jwks
- TFE’s public key(s) that cloud platforms use to verify the authenticity of tokens that claim to come from TFE.
External Vault Policy
If you are using an external Vault instance, you must ensure that your Vault instance has the correct policies setup as detailed in the External Vault Requirements for Terraform Enterprise documentation.