Since we last shared news on using Terraform in AWS AFT, AWS has introduced native OpenID Connect (OIDC) integration for HCP Terraform and Terraform Enterprise within Account Factory for Terraform (AFT). This significantly simplifies how dynamic provider credentials are configured and managed.
With this capability enabled (terraform_oidc_integration = true), AFT automatically establishes the trust relationship between AWS and Terraform workspaces. This removes the need to manually configure OIDC identity providers, IAM roles, trust policies, and workspace environment variables, while maintaining the same security model based on short-lived, dynamically generated credentials.
Previously, implementing dynamic provider credentials required multiple manual steps across AWS IAM and HCP Terraform, including configuring federation, managing secrets, and maintaining trust relationships. While effective, this introduced operational overhead and potential for misconfiguration. For example, teams previously had to explicitly configure OIDC providers and IAM trust policies to enable HCP Terraform to assume roles at runtime. With native integration, these steps are abstracted into the AFT workflow itself — aligning credential management with the broader account provisioning lifecycle. This makes it easier for platform teams to standardize secure infrastructure provisioning across accounts without additional setup or tooling.
Importantly, the architectural model described in this post remains valid. Organizations should still separate infrastructure and application concerns, apply governance through AFT customizations, and use Terraform Cloud to manage application-level resources. However, the path to implementing secure authentication is now significantly streamlined.
This evolution reflects a broader shift toward zero-standing-credential architectures, where infrastructure automation relies on identity-based, short-lived access rather than static secrets — improving both security posture and operational scalability.
»Before vs. Now: Dynamic credentials with AFT
| Capability | Before (manual setup) | Now (native OIDC integration) |
| OIDC provider setup | Manually configured in AWS IAM | Automatically configured by AFT |
| IAM roles & trust policies | Custom-defined per workspace | Automatically generated and managed |
| Credential management | Requires secrets or configuration | No stored credentials required |
| Terraform workspace setup | Manual environment variables required | Pre-configured via AFT |
| Operational complexity | Higher (multi-step setup) | Lower (enabled via configuration flag) |
| Security model | Short-lived credentials (dynamic) | Same model, enforced by default |
| Scalability across accounts | Requires repeat setup | Automatically applied to all new accounts |
As you evaluate or evolve your AFT implementation, consider enabling native OIDC integration to simplify credential management and reduce operational overhead.
To get started, review the latest release details and configuration guidance.
