HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Terraform
Terraform Home

AWS quick setup

HCP Terraform can automatically set up dynamic credentials for AWS using AWS temporary permission delegation.

Background

Dynamic provider credentials work by establishing a trust relationship between HCP Terraform and your cloud provider. This trust relationship improves your security posture by configuring HCP Terraform to provision and use new temporary credentials for each Terraform run. Once you have configured the trust relationship, you can configure your workspaces, Stacks, and private registry module tests to use it.

Requirements

In order to set up dynamic provider credentials with AWS using the quick setup method, you will need the following:

  • An HCP Terraform workspace
  • An AWS account with administrator permissions to IAM

Configuring dynamic credentials with AWS quick setup

To configure dynamic credentials with AWS quick setup, complete the following steps:

  1. Navigate to your workspace’s Variables page, and click the AWS Quick Setup button.

  2. Select whether you want a single set of credentials for both the plan and apply steps, or separate credentials.

    Each set of credentials will be attached to an IAM role that you will configure in AWS. For example, you may prefer to use read-only permissions for the role used for Terraform plans. Provide the name of the role(s) this set of credentials will use. You will create these roles in AWS after you configure the trust relationship.

  3. If your workspace will use multiple AWS provider configurations, apply an alias name to specify which provider configuration will use these credentials.

  4. You can specify a different value for the workload identity audience. Leave the default value unless you have a specific need to set a different audience, such as when configuring multiple identity providers for AWS.

  5. Click Add credentials.

HCP Terraform opens a new browser window to configure your AWS account for temporary permission delegation. This process allows HCP Terraform to configure the trust relationship in your AWS account.

After you configure the trust relationship with AWS quick setup, you will need to attach one or more IAM policies to the IAM role or roles that HCP Terraform created for your trust relationship. These policies provide HCP Terraform with the permissions it needs to provision your infrastructure during a Terraform run. If you configured a single set of credentials for both plan and apply operations, HCP Terraform uses the same role for both operations. If you configured separate credentials for plan and apply operations, you must attach IAM policies to each of the roles. Use the AWS console to attach these IAM policies to the new role(s).

After you’ve attached policies to the role(s), go back to the workspace’s Variables page in HCP Terraform and mark the delegated permission operation card under the Dynamic provider credential sets header as complete by clicking the Mark complete button.

After you have completed the quick setup and marked the delegated permissions operation as complete, AWS will provide a set of dynamic credentials that use the specified role whenever your workspace runs a plan or apply operation.

Next steps

Refer to the following resources to learn about configuring dynamic provider credentials:

Edit this page on GitHub