Terraform
HCP Vault Secrets-Backed Dynamic Credentials
This topic provides an overview of how to use HCP Vault Secrets to generate temporary credentials for providers so that you can securely use them in HCP Terraform runs.
Introduction
Configuring dynamic provider credentials with different cloud providers is suitable for most use cases, but you can use HCP Vault Secrets-backed dynamic credentials to centralize and consolidate cloud credential management.
HCP Vault Secrets-backed dynamic credentials leverage HCP Vault Secrets' dynamic secrets capability, which allows you to generate short-lived credentials for various providers. This means you can authenticate a HCP instance using workload identity tokens and use dynamic secret capabilities on that instance to generate dynamic credentials for the various providers.
Refer to the HCP Vault Secrets announcement to learn about the benefits of using HCP Vault Secrets to manage provider credentials.
Workflow
Using HCP Vault Secrets-backed dynamic credentials in a workspace requires the following steps for each cloud platform:
- If you are self-hosting HCP Terraform agents, ensure your agents use v1.16.0 or newer. To use the latest dynamic credentials features, upgrade your agents to the latest version.
- Set up dynamic provider credentials with the HCP provider: You must first configure dynamic credentials with the HCP provider.
- Configure the dynamic secrets integration: You must configure the desired Vault secrets integration in your HCP project, such as AWS or GCP.
- Configure your HCP Terraform workspace: You must add specific environment variables to your workspace to tell HCP Terraform how to authenticate to other cloud providers during runs. Each cloud platform has its own set of environment variables that are necessary to configure dynamic credentials.
- Complete the instructions for setting up HCP Vault Secrets-backed dynamic for Amazon Web Services or Google Cloud Platform.
Access to metadata endpoints
In order to verify signed JWTs, HCP must have network access to the following static OIDC metadata endpoints within HCP Terraform:
/.well-known/openid-configuration: Standard OIDC metadata./.well-known/jwks: HCP Terraform public keys that cloud platforms use to verify the authenticity of tokens that claim to come from HCP Terraform.