Vault-Backed Dynamic Credentials with the AWS Provider
Important: If you are self-hosting HCP Terraform agents, ensure your agents use v1.8.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.
You can use HCP Terraform’s native OpenID Connect integration with Vault to use Vault-backed dynamic credentials with the AWS provider in your HCP Terraform runs. Configuring the integration requires the following steps:
- Configure Vault Dynamic Provider Credentials: Set up a trust configuration between Vault and HCP Terraform, create Vault roles and policies for your HCP Terraform workspaces, and add environment variables to those workspaces.
- Configure the Vault AWS Secrets Engine: Set up the AWS secrets engine in your Vault instance.
- Configure HCP Terraform: Add additional environment variables to the HCP Terraform workspaces where you want to use Vault-Backed Dynamic Credentials.
- Configure Terraform Providers: Configure your Terraform providers to work with Vault-backed dynamic credentials.
Once you complete this setup, HCP Terraform automatically authenticates with AWS via Vault-generated credentials during the plan and apply phase of each run. The AWS provider's authentication is only valid for the length of the plan or apply phase.
Configure Vault Dynamic Provider Credentials
You must first set up Vault dynamic provider credentials before you can use Vault-backed dynamic credentials. This includes setting up the JWT auth backend in Vault, configuring trust between HCP Terraform and Vault, and populating the required environment variables in your HCP Terraform workspace.
See the setup instructions for Vault dynamic provider credentials.
Configure Vault AWS Secrets Engine
Follow the instructions in the Vault documentation for setting up the AWS secrets engine in your Vault instance. You can also do this configuration through Terraform. Refer to our example Terraform configuration.
Important: carefully consider the limitations and differences between each supported credential type in the AWS secrets engine. These limitations carry over to HCP Terraform’s usage of these credentials for authenticating the AWS provider.
Configure HCP Terraform
Next, you need to set certain environment variables in your HCP Terraform workspace to authenticate HCP Terraform with AWS using Vault-backed dynamic credentials. These variables are in addition to those you previously set while configuring Vault dynamic provider credentials. You can add these as workspace variables or as a variable set.
Common Environment Variables
The below variables apply to all AWS auth types.
Required Common Environment Variables
Variable | Value | Notes |
---|---|---|
TFC_VAULT_BACKED_AWS_AUTH | true | Requires v1.8.0 or later if self-managing agents. Must be present and set to true , or HCP Terraform will not attempt to authenticate with AWS. |
TFC_VAULT_BACKED_AWS_AUTH_TYPE | Specifies the type of authentication to perform with AWS. Must be one of the following: iam_user , assumed_role , or federation_token . | Requires v1.8.0 or later if self-managing agents. |
TFC_VAULT_BACKED_AWS_RUN_VAULT_ROLE | The role to use in Vault. | Requires v1.8.0 or later if self-managing agents. Optional if TFC_VAULT_BACKED_AWS_PLAN_VAULT_ROLE and TFC_VAULT_BACKED_AWS_APPLY_VAULT_ROLE are both provided. These variables are described below. |
Optional Common Environment Variables
You may need to set these variables, depending on your use case.
Variable | Value | Notes |
---|---|---|
TFC_VAULT_BACKED_AWS_MOUNT_PATH | The mount path of the AWS secrets engine in Vault. | Requires v1.8.0 or later if self-managing agents. Defaults to aws . |
TFC_VAULT_BACKED_AWS_PLAN_VAULT_ROLE | The Vault role to use the plan phase of a run. | Requires v1.8.0 or later if self-managing agents. Will fall back to the value of TFC_VAULT_BACKED_AWS_RUN_VAULT_ROLE if not provided. |
TFC_VAULT_BACKED_AWS_APPLY_VAULT_ROLE | The Vault role to use for the apply phase of a run. | Requires v1.8.0 or later if self-managing agents. Will fall back to the value of TFC_VAULT_BACKED_AWS_RUN_VAULT_ROLE if not provided. |
TFC_VAULT_BACKED_AWS_SLEEP_SECONDS | The amount of time to wait, in seconds, after obtaining temporary credentials from Vault. e.g., 30 for 30 seconds. Must be 1500 seconds (25 minutes) or less. | Requires v1.12.0 or later if self-managing agents. Can be used to mitigate eventual consistency issues in AWS when using the iam_user auth type. |
TFC_VAULT_BACKED_AWS_VAULT_CONFIG | The name of the non-default Vault configuration for workspaces using multiple Vault configurations. | Requires v1.12.0 or later if self-managing agents. Will fall back to using the default Vault configuration if not provided. |
Assumed Role Specific Environment Variables
These environment variables are only valid if the TFC_VAULT_BACKED_AWS_AUTH_TYPE
is assumed_role
.
Required Assumed Role Specific Environment Variables
Variable | Value | Notes |
---|---|---|
TFC_VAULT_BACKED_AWS_RUN_ROLE_ARN | The ARN of the role to assume in AWS. | Requires v1.8.0 or later if self-managing agents. Optional if TFC_VAULT_BACKED_AWS_PLAN_ROLE_ARN and TFC_VAULT_BACKED_AWS_APPLY_ROLE_ARN are both provided. These variables are described below. |
Optional Assumed Role Specific Environment Variables
You may need to set these variables, depending on your use case.
Variable | Value | Notes |
---|---|---|
TFC_VAULT_BACKED_AWS_PLAN_ROLE_ARN | The ARN of the role to use for the plan phase of a run. | Requires v1.8.0 or later if self-managing agents. Will fall back to the value of TFC_VAULT_BACKED_AWS_RUN_ROLE_ARN if not provided. |
TFC_VAULT_BACKED_AWS_APPLY_ROLE_ARN | The ARN of the role to use for the apply phase of a run. | Requires v1.8.0 or later if self-managing agents. Will fall back to the value of TFC_VAULT_BACKED_AWS_RUN_ROLE_ARN if not provided. |
Configure Terraform Providers
The final step is to directly configure your AWS and Vault providers.
Configure the AWS Provider
Ensure you pass a value for the region
argument in your AWS provider configuration block or set the AWS_REGION
variable in your workspace.
Ensure you are not using any of the arguments or methods mentioned in the authentication and configuration section of the provider documentation. Otherwise, these settings may interfere with dynamic provider credentials.
Configure the Vault Provider
If you were previously using the Vault provider to authenticate the AWS provider, remove any existing usage of the AWS secrets engine from your Terraform Code.
This includes the vault_aws_access_credentials
data source and any instances of vault_generic_secret
you previously used to generate AWS credentials.
Specifying Multiple Configurations
Important: If you are self-hosting HCP Terraform agents, ensure your agents use v1.12.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.
You can add additional configurations to handle multiple distinct Vault-backed AWS setups, enabling you to use multiple provider aliases within the same workspace.
For more details, see Specifying Multiple Configurations.
Required Terraform Variable
To use additional configurations, add the following code to your Terraform configuration. This lets HCP Terraform supply variable values that you can then use to map authentication and configuration details to the correct provider blocks.
variable "tfc_vault_backed_aws_dynamic_credentials" { description = "Object containing Vault-backed AWS dynamic credentials configuration" type = object({ default = object({ shared_credentials_file = string }) aliases = map(object({ shared_credentials_file = string })) })}
Example Usage
provider "aws" { shared_credentials_files = [var.tfc_vault_backed_aws_dynamic_credentials.default.shared_credentials_file]} provider "aws" { alias = "ALIAS1" shared_credentials_files = [var.tfc_vault_backed_aws_dynamic_credentials.aliases["ALIAS1"].shared_credentials_file]}