HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
Terraform
Terraform Home

HCP Vault Secrets-Backed Dynamic Credentials with the GCP Provider

Important: If you are self-hosting HCP Terraform agents, ensure your agents use v1.16.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.

You can use HCP Terraform’s native OpenID Connect integration with HCP to use HCP Vault Secrets-backed dynamic credentials with the GCP provider in your HCP Terraform runs. Configuring the integration requires the following steps:

  1. Configure HCP Provider Credentials: Set up a trust configuration between HCP Vault Secrets and HCP Terraform, create HCP Vault Secrets roles and policies for your HCP Terraform workspaces, and add environment variables to those workspaces.
  2. Configure HCP Vault Secrets: Set up your HCP project's GCP integration and dynamic secret.
  3. Configure HCP Terraform: Add additional environment variables to the HCP Terraform workspaces where you want to use HCP Vault Secrets-backed dynamic credentials.
  4. Configure Terraform Providers: Configure your Terraform providers to work with HCP Vault Secrets-backed dynamic credentials.

Once you complete this setup, HCP Terraform automatically authenticates with GCP via HCP Vault Secrets-generated credentials during the plan and apply phase of each run. The GCP provider's authentication is only valid for the length of the plan or apply phase.

Configure HCP Provider Credentials

You must first set up HCP dynamic provider credentials before you can use HCP Vault Secrets-backed dynamic credentials. This includes creating a service principal, configuring trust between HCP and HCP Terraform, and populating the required environment variables in your HCP Terraform workspace.

See the setup instructions for HCP dynamic provider credentials.

Configure HCP Vault Secrets GCP Secrets Engine

Follow the instructions in the HCP Vault Secrets documentation for setting up the GCP integration in your HCP project.

Configure HCP Terraform

Next, you need to set certain environment variables in your HCP Terraform workspace to authenticate HCP Terraform with GCP using HCP Vault Secrets-backed dynamic credentials. These variables are in addition to those you previously set while configuring HCP provider credentials. You can add these as workspace variables or as a variable set.

Required Common Environment Variables

VariableValueNotes
TFC_HVS_BACKED_GCP_AUTH
TFC_HVS_BACKED_GCP_AUTH[_TAG]
(Default variable not supported)		trueRequires v1.16.0 or later if self-managing agents. Must be present and set to true, or HCP Terraform will not attempt to authenticate with GCP.
TFC_HVS_BACKED_GCP_RUN_SECRET_RESOURCE_NAMEThe name of the HCP Vault Secrets dynamic secret resource to read.Requires v1.16.0 or later if self-managing agents. Must be present.

Optional Common Environment Variables

You may need to set these variables, depending on your use case.

VariableValueNotes
TFC_HVS_BACKED_GCP_HCP_CONFIG
TFC_HVS_BACKED_GCP_HCP_CONFIG[_TAG]
TFC_DEFAULT_HVS_BACKED_GCP_HCP_CONFIG		The name of the non-default HCP configuration for workspaces using multiple HCP configurations.Requires v1.16.0 or later if self-managing agents. Will fall back to using the default HCP Vault Secrets configuration if not provided.
TFC_HVS_BACKED_GCP_PLAN_SECRET_RESOURCE_NAMEThe name of the HCP Vault Secrets dynamic secret resource to read for the plan phase.Requires v1.16.0 or later if self-managing agents. Must be present.
TFC_HVS_BACKED_GCP_APPLY_SECRET_RESOURCE_NAMEThe name of the HCP Vault Secrets dynamic secret resource to read for the apply phase.Requires v1.16.0 or later if self-managing agents. Must be present.

Configure Terraform Providers

The final step is to directly configure your GCP and HCP Vault Secrets providers.

Configure the GCP Provider

Ensure you pass values for the project and region arguments into the provider configuration block.

Ensure you are not setting values or environment variables for GOOGLE_CREDENTIALS or GOOGLE_APPLICATION_CREDENTIALS. Otherwise, these values may interfere with dynamic provider credentials.

Specifying Multiple Configurations

Important: If you are self-hosting HCP Terraform agents, ensure your agents use v1.16.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.

You can add additional variables to handle multiple distinct HCP Vault Secrets-backed GCP setups, enabling you to use multiple provider aliases within the same workspace. You can configure each set of credentials independently, or use default values by configuring the variables prefixed with TFC_DEFAULT_.

For more details, see Specifying Multiple Configurations.

Required Terraform Variable

To use additional configurations, add the following code to your Terraform configuration. This lets HCP Terraform supply variable values that you can then use to map authentication and configuration details to the correct provider blocks.

variable "tfc_hvs_backed_gcp_dynamic_credentials" {
  description = "Object containing HCP Vault Secrets-backed GCP dynamic credentials configuration"
  type = object({
    default = object({
      credentials = string
      access_token = string
    })
    aliases = map(object({
      credentials = string
      access_token = string
    }))
  })
}

Example Usage

Access Token
provider "google" {
  access_token = var.tfc_hvs_backed_gcp_dynamic_credentials.default.access_token
}

provider "google" {
  alias = "ALIAS1"
  access_token = var.tfc_hvs_backed_gcp_dynamic_credentials.aliases["ALIAS1"].access_token
}
Credentials
provider "google" {
  credentials = var.tfc_hvs_backed_gcp_dynamic_credentials.default.credentials
}

provider "google" {
  alias = "ALIAS1"
  credentials = var.tfc_hvs_backed_gcp_dynamic_credentials.aliases["ALIAS1"].credentials
}