Terraform Cloud dynamic provider credentials now enable automated authentication for Kubernetes via EKS and GKE.
In March 2023, we announced the general availability of dynamic provider credentials in Terraform Cloud. This native support lets users authenticate to providers using short-lived, just-in-time credentials in their Terraform Cloud workflows with the Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and HashiCorp Vault providers. The enhancement helps users reduce the risk of exposure from storing long-lived static credentials and avoid the burden of manual secret rotation. Today we are excited to announce the general availability of dynamic provider credentials support for Kubernetes via Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE).
Previously, users managing Kubernetes resources with Terraform often authenticated to clusters using long-lived, non-renewable static credentials. This approach frequently resulted in authentication failures upon expiration. Now Terraform offers Kubernetes users the ability to utilize the workload identity of Terraform Cloud integrated with the native OIDC support of EKS and GKE.
Dynamic provider credentials in Terraform Cloud eliminate the risks associated with storing long-lived credentials, removing the operational burdens of manually rotating them.
Dynamic provider credentials are based on the industry-standard OpenID Connect (OIDC) workload identity authentication flow. With today’s enhancement, Terraform Cloud now supports just-in-time authentication for the official Kubernetes and Helm providers.
Once the OIDC trust relationship has been established, Kubernetes cluster roles are mapped to Terraform workloads by the platform team, rather than providing long-lived, static credentials to be shared across the organization. When a Terraform workload is executed, Terraform Cloud will automatically handle the necessary handshake with the target cluster and inject short-lived credentials directly into the Terraform execution environment.
Dynamic provider credentials can now authenticate Kubernetes for EKS and GKE. That brings two main benefits:
Dynamic provider credentials help organizations mitigate the security risks of storing long-lived credentials and avoid the operational burdens of manually rotating them. This helps simplify Terraform Cloud setup and ensures secure authentication across cloud environments.
To learn more about dynamic provider credentials for Kubernetes, please refer to Dynamic provider credentials documentation. If you are completely new to Terraform, sign up for Terraform Cloud and get started using the Free offering today.
Improve the developer experience writing Terraform code with the help of generative AI powered by Amazon CodeWhisperer.
HashiCorp’s Terraform provider for AWS now enables users to manage their S3 Express buckets.
A new view in the HashiCorp Terraform extension for Visual Studio Code shows your Terraform Cloud workspaces and runs, reducing context-switching.