Dynamic Provider Credentials
Important: If using self-managed agents, make sure you’re using v1.7.0 or later.
Using static credentials in your workspaces to authenticate providers presents a security risk, even if you rotate your credentials regularly. Dynamic provider credentials improve your security posture by letting you provision new, temporary credentials for each run.
You can configure dynamic credentials for each Terraform Cloud workspace. This workflow eliminates the need to manually manage and rotate credentials across your organization. It also lets you use the cloud platform’s authentication and authorization tools to scope permissions based on metadata, such as a run’s phase, its workspace, or its organization.
How Dynamic Credentials Work
You configure a trust relationship between your cloud platform and Terraform Cloud. As part of that process, you can define rules that let Terraform Cloud workspaces and runs access specific resources. Then, the following process occurs for each Terraform plan and apply:
- Terraform Cloud generates a workload identity token. The token is compliant with OpenID Connect protocol (OIDC) standards and includes information about the organization, workspace, and run stage.
- When a plan or apply begins, Terraform Cloud sends the workload identity token to the cloud platform, along with any other information needed to authenticate.
- The cloud platform uses Terraform Cloud’s public signing key to verify the workload identity token.
- If verification succeeds, the cloud platform returns a set of fresh temporary credentials for Terraform Cloud to use.
- Terraform Cloud sets up these credentials within the run environment for the Terraform provider to use.
- The Terraform plan or apply proceeds.
- When the plan or apply completes, the run environment is torn down and the temporary credentials are discarded.
Configure Dynamic Credentials
Using dynamic credentials in a workspace requires the following steps for each cloud platform:
- Set up a Trust Relationship: You must configure a relationship between Terraform Cloud and the other cloud platform. The exact details of this process will be different depending on the cloud platform.
- Configure Cloud Platform Access: You must configure roles and policies for the cloud platform to define the workspace’s access to infrastructure resources.
- Configure Terraform Cloud Workspace: You must add specific environment variables to your workspace to tell Terraform Cloud how to authenticate to the other cloud platform during plans and applies. Each cloud platform has its own set of environment variables to configure dynamic credentials.
The process for each step is different for each cloud platform. Refer to the cloud platform configuration instructions for full details. You can configure dynamic credentials for the following platforms:
You can also use Vault to generate credentials for AWS, GCP, or Azure by setting up Vault-backed dynamic credentials, which take advantage of Vault's secrets engines to generate temporary credentials.
TFE Specific Requirements
External Access to Metadata Endpoints
In order to verify signed JWTs, cloud platforms must have network access to the following static OIDC metadata endpoints within TFE:
/.well-known/openid-configuration- standard OIDC metadata.
/.well-known/jwks- TFE’s public key(s) that cloud platforms use to verify the authenticity of tokens that claim to come from TFE.
External Vault Policy
If you are using an external Vault instance, you must ensure that your Vault instance has the correct policies setup as detailed in the External Vault Requirements for Terraform Enterprise documentation.