Dynamic provider credentials now generally available for Terraform Cloud

We are excited to announce the general availability of dynamic provider credentials, an authentication model for Terraform Cloud that’s also coming soon to Terraform Enterprise. Initially launched as a public beta in January, dynamic provider credentials help users create short-lived, just-in-time (JIT) credentials for HashiCorp Vault and the official Terraform providers for the major cloud vendors (Amazon Web Services, Microsoft Azure, and Google Cloud). This post reviews the details and benefits of this powerful new authentication method.

»Limitations of static credentials

Previously, Terraform Cloud and Enterprise users commonly relied on static credentials to authenticate with Vault and cloud providers. However, this practice posed both operational and security obstacles. Managing these static, long-lived credentials did not scale well without tedious, manual intervention. Users set credentials as workspace variables or variable sets in Terraform, adding additional complexity to their authentication process. Manually storing static credentials also introduced security vulnerabilities, even if the credentials were rotated regularly.

»Dynamic provider credentials

Dynamic provider credentials are temporary, time-bound, and unique to each Terraform workload. They are generated on demand, as opposed to static credentials, which are defined ahead of time and shared. Dynamic credentials do not require manual rotation or revocation when they are no longer needed.

»Standards-based

Dynamic provider credentials leverage workload identity and implementation of the OpenID Connect (OIDC) standard. Organizations first configure Terraform Cloud as a trusted identity provider with their cloud platform or Vault. Terraform Cloud then generates a signed identity token for every workload to obtain temporary, short-lived credentials that are injected into the run environment. This exchange happens automatically for the supported providers by adding a few simple environment variables to the workspace.

»Vault and cloud providers

The Vault provider allows users to configure Vault authentication methods, roles, and policies, and to write and access static secrets for workloads in Terraform. Administrators now have a simple and secure way to authenticate a Terraform workspace to Vault without manually rotating credentials or exposing them as workspace variables.

Terraform Cloud dynamic provider credentials natively integrate with the Amazon Web Services (AWS), Microsoft Azure, and Google Cloud providers. Once an OIDC trust relationship is established, cloud admins scope roles with permissions appropriate to each workload. This eliminates the need for long-term API access keys or service principals and ensures that each Terraform Cloud run receives only the permissions it needs.

»Key benefits

Simplify processes: Managing long-lived credentials requires custom solutions and processes typically taken on by the cloud platform team. Dynamic provider credentials simplify these processes by retrieving credentials on the fly, helping teams avoid the burden of manual secrets rotation.

Reduce risk: Storing long-lived static credentials presents severe security risks, as cloud credentials are highly sensitive and can grant powerful privileges. Using temporary, short-lived credentials removes the need to store long-lived secrets in Terraform Cloud and significantly limits the impact of accidental credential exposure and reuse.

Permissions control: Dynamic provider credentials provide platform teams with more granular permissions control, allowing them to scope privileges down to specific Terraform operations based on the run phase, workspace, project, or organization. This control helps keep permissions tightly scoped and enables the least privilege principle.

»Getting started

To learn more about dynamic provider credentials, check out the documentation and tutorials. Sample code for all four integrations can be found in the setup examples repo on GitHub.

Get started with Terraform Cloud for free to begin provisioning and managing your infrastructure in any environment. And try HCP Vault, the easiest way to get started with Vault. Link your Terraform Cloud and HashiCorp Cloud Platform accounts together for a seamless sign-in experience.