Terraform Cloud now supports multiple configurations for dynamic provider credentials
Create multiple configurations with unique dynamic credentials for the same provider within a single Terraform Cloud workspace.
Earlier this year, we built upon the workload identity functionality in HashiCorp Terraform Cloud by adding a new authentication method, dynamic provider credentials, for the major cloud providers, the HashiCorp Vault provider, and Vault’s dynamic secrets engines. This native support lets users authenticate to providers using short-lived, just-in-time credentials in their Terraform Cloud workflows. The enhancement helps users reduce the risk of exposure from storing long-lived static credentials and avoid the burden of manual secret rotation.
Terraform offers users the ability to define multiple configurations for the same provider on a per-resource or per-module basis with aliases. However, with the previous dynamic provider credentials releases, users could configure only one set of credentials per provider and workspace. This limitation hindered users who had multiple aliases for the same provider, as they couldn't fully embrace the benefits of the new authentication functionality.
» Introducing multiple configurations
Multiple configurations for dynamic provider credentials address this problem by allowing users to authenticate multiple aliases of the same provider within a single workspace when provisioning infrastructure. This can be especially useful when provisioning across multiple regions and accounts, or targeting multiple clusters within the same provider.
Users can now configure workspaces with additional environment variables for a provider alias to authenticate with dynamic provider credentials. This allows them to:
- Use dynamic provider credentials to uniquely authenticate multiple aliases of the same provider in a workspace
- Configure separate cloud provider aliases with different roles/permissions in different accounts or regions
» Summary and resources
Dynamic credential management plays a key part in ensuring a secure provisioning workflow with Terraform and the providers it interacts with. To learn more about multiple configurations for dynamic provider credentials and how Terraform can help ensure security best practices in your provisioning workflows, please refer to the Specifying multiple configurations page in the dynamic provider credentials documentation.Environment variables assigned to a workspace enable dynamic provider credentials for multiple instances of the AWS provider with unique roles.
Sign up for the latest HashiCorp news
More blog posts like this one
HCP Terraform adds run queue visibility and new ephemeral workspace features
HCP Terraform and Terraform Enterprise gain new features related to ephemeral workspaces along with run queue visibility for HCP Terraform specifically.
Automate AWS deployments with HCP Terraform and GitHub Actions
Learn how to use GitHub Actions to automate HCP Terraform operations.
Access AWS from HCP Terraform with OIDC federation
Securely access AWS from HCP Terraform using OIDC federation, eliminating the need to use access keys.