Vault Authentication
The first step of integrating Terraform with Vault is to authenticate Terraform to Vault. Terraform can authenticate to Vault using static credentials or dynamic credentials.
The Vault provider supports authentication engines such as Userpass(opens in new tab), TLS Certificate(opens in new tab) etc. Using such static credentials in your workspaces to authenticate to Vault presents a security risk even if you rotate your credentials regularly.
Note
HashiCorp recommends to use HCP Terraform’s native OpenID connect integration with Vault to establish a trust relationship between a Terraform workspace and Vault.Configuring the authentication for the integration requires the following steps:
- Configure Vault(opens in new tab): Set up a trust configuration between Vault and HCP Terraform. Then, you must create Vault roles and policies for your HCP Terraform workspaces.
- Configure HCP Terraform(opens in new tab): Add environment variables to the HCP Terraform workspaces where you want to use Dynamic Credentials.
You can set these as workspace variables, or if you’d like to share one Vault role across multiple workspaces, you can use a variable set. We recommend using Variable Sets for better management of environment variables across multiple workspaces.
When you configure dynamic provider credentials with multiple provider configurations of the same type, use either a default variable or a tagged alias variable name for each provider configuration. Refer to Specifying multiple configurations(opens in new tab) for more details.
For e.g consider the Terraform Organization: Vault Root Namespace mapping diagram referenced in the previous section. For the lob1-app1-compute-dev Terraform workspace to access the AWS secrets engine in the lob1 Vault namespace, here are the variables that must be set.
Keu | Value |
---|---|
TFC_VAULT_PROVIDER_AUTH | true |
TFC_VAULT_ADDR | The address of the Vault instance to authenticate against. |
TFC_VAULT_RUN_ROLE | The name of the Vault role to authenticate against |
TFC_VAULT_NAMESPACE | lob1 |
There are additional optional environment variables(opens in new tab) that can be configured which give more fine-grained control over the specific Vault configurations for your use case.
Note
Once you set up dynamic credentials for a workspace using a variable set, HCP Terraform automatically authenticates to Vault for each run. Do not pass the address, token, or namespace arguments into the provider configuration block. HCP Terraform sets these values as environment variables in the run environment.