HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
Terraform
Terraform Home

HCP Vault Secrets-Backed Dynamic Credentials with the AWS Provider

Important: If you are self-hosting HCP Terraform agents, ensure your agents use v1.16.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.

You can use HCP Terraform’s native OpenID Connect integration with HCP to use HCP Vault Secrets-backed dynamic credentials with the AWS provider in your HCP Terraform runs. Configuring the integration requires the following steps:

  1. Configure HCP Provider Credentials: Set up a trust configuration between HCP Vault Secrets and HCP Terraform, create HCP roles and policies for your HCP Terraform workspaces, and add environment variables to those workspaces.
  2. Configure HCP Vault Secrets: Set up your HCP project's AWS integration and dynamic secret.
  3. Configure HCP Terraform: Add additional environment variables to the HCP Terraform workspaces where you want to use HCP Vault Secrets-backed dynamic credentials.
  4. Configure Terraform Providers: Configure your Terraform providers to work with HCP Vault Secrets-backed dynamic credentials.

Once you complete this setup, HCP Terraform automatically authenticates with AWS via HCP Vault Secrets-generated credentials during the plan and apply phase of each run. The AWS provider's authentication is only valid for the length of the plan or apply phase.

Configure HCP Provider Credentials

You must first set up HCP dynamic provider credentials before you can use HCP Vault Secrets-backed dynamic credentials. This includes creating a service principal, configuring trust between HCP and HCP Terraform, and populating the required environment variables in your HCP Terraform workspace.

See the setup instructions for HCP dynamic provider credentials.

Configure HCP Vault Secrets AWS Secrets Engine

Follow the instructions in the HCP Vault Secrets documentation for setting up the AWS integration in your HCP project.

Configure HCP Terraform

Next, you need to set certain environment variables in your HCP Terraform workspace to authenticate HCP Terraform with AWS using HCP Vault Secrets-backed dynamic credentials. These variables are in addition to those you previously set while configuring HCP provider credentials. You can add these as workspace variables or as a variable set.

Required Environment Variables

VariableValueNotes
TFC_HVS_BACKED_AWS_AUTH
TFC_HVS_BACKED_AWS_AUTH[_TAG]
(Default variable not supported)		trueRequires v1.16.0 or later if self-managing agents. Must be present and set to true, or HCP Terraform will not attempt to authenticate with AWS.
TFC_HVS_BACKED_AWS_RUN_SECRET_RESOURCE_NAMEThe name of the HCP Vault Secrets dynamic secret resource to read.Requires v1.16.0 or later if self-managing agents. Must be present.

Optional Environment Variables

You may need to set these variables, depending on your use case.

VariableValueNotes
TFC_HVS_BACKED_AWS_HCP_CONFIG
TFC_HVS_BACKED_AWS_HCP_CONFIG[_TAG]
TFC_DEFAULT_HVS_BACKED_AWS_HCP_CONFIG		The name of the non-default HCP configuration for workspaces using multiple HCP configurations.Requires v1.16.0 or later if self-managing agents. Will fall back to using the default HCP Vault Secrets configuration if not provided.
TFC_HVS_BACKED_AWS_PLAN_SECRET_RESOURCE_NAMEThe name of the HCP Vault Secrets dynamic secret resource to read for the plan phase.Requires v1.16.0 or later if self-managing agents. Must be present.
TFC_HVS_BACKED_AWS_APPLY_SECRET_RESOURCE_NAMEThe name of the HCP Vault Secrets dynamic secret resource to read for the apply phase.Requires v1.16.0 or later if self-managing agents. Must be present.

Configure Terraform Providers

The final step is to directly configure your AWS and HCP Vault Secrets providers.

Configure the AWS Provider

Ensure you pass a value for the region argument in your AWS provider configuration block or set the AWS_REGION variable in your workspace.

Ensure you are not using any of the arguments or methods mentioned in the authentication and configuration section of the provider documentation. Otherwise, these settings may interfere with dynamic provider credentials.

Specifying Multiple Configurations

Important: If you are self-hosting HCP Terraform agents, ensure your agents use v1.16.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.

You can add additional variables to handle multiple distinct HCP Vault Secrets-backed AWS setups, enabling you to use multiple provider aliases within the same workspace. You can configure each set of credentials independently, or use default values by configuring the variables prefixed with TFC_DEFAULT_.

For more details, see Specifying Multiple Configurations.

Required Terraform Variable

To use additional configurations, add the following code to your Terraform configuration. This lets HCP Terraform supply variable values that you can then use to map authentication and configuration details to the correct provider blocks.

variable "tfc_hvs_backed_aws_dynamic_credentials" {
  description = "Object containing HCP Vault Secrets-backed AWS dynamic credentials configuration"
  type = object({
    default = object({
      shared_credentials_file = string
    })
    aliases = map(object({
      shared_credentials_file = string
    }))
  })
}

Example Usage

provider "aws" {
  shared_credentials_files = [var.tfc_hvs_backed_aws_dynamic_credentials.default.shared_credentials_file]
}

provider "aws" {
  alias = "ALIAS1"
  shared_credentials_files = [var.tfc_hvs_backed_aws_dynamic_credentials.aliases["ALIAS1"].shared_credentials_file]
}