HashiCorp Developer AI Private beta now available Sign up today
Terraform
Terraform Home

You are viewing documentation for version v202407-1. View latest version.

Vault-Backed Dynamic Credentials with the AWS Provider

Important: If you are self-hosting HCP Terraform agents, ensure your agents use v1.8.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.

You can use HCP Terraform’s native OpenID Connect integration with Vault to use Vault-backed dynamic credentials with the AWS provider in your HCP Terraform runs. Configuring the integration requires the following steps:

  1. Configure Vault Dynamic Provider Credentials: Set up a trust configuration between Vault and HCP Terraform, create Vault roles and policies for your HCP Terraform workspaces, and add environment variables to those workspaces.
  2. Configure the Vault AWS Secrets Engine: Set up the AWS secrets engine in your Vault instance.
  3. Configure HCP Terraform: Add additional environment variables to the HCP Terraform workspaces where you want to use Vault-Backed Dynamic Credentials.
  4. Configure Terraform Providers: Configure your Terraform providers to work with Vault-backed dynamic credentials.

Once you complete this setup, HCP Terraform automatically authenticates with AWS via Vault-generated credentials during the plan and apply phase of each run. The AWS provider's authentication is only valid for the length of the plan or apply phase.

Configure Vault Dynamic Provider Credentials

You must first set up Vault dynamic provider credentials before you can use Vault-backed dynamic credentials. This includes setting up the JWT auth backend in Vault, configuring trust between HCP Terraform and Vault, and populating the required environment variables in your HCP Terraform workspace.

See the setup instructions for Vault dynamic provider credentials.

Configure Vault AWS Secrets Engine

Follow the instructions in the Vault documentation for setting up the AWS secrets engine in your Vault instance. You can also do this configuration through Terraform. Refer to our example Terraform configuration.

Important: carefully consider the limitations and differences between each supported credential type in the AWS secrets engine. These limitations carry over to HCP Terraform’s usage of these credentials for authenticating the AWS provider.

Configure HCP Terraform

Next, you need to set certain environment variables in your HCP Terraform workspace to authenticate HCP Terraform with AWS using Vault-backed dynamic credentials. These variables are in addition to those you previously set while configuring Vault dynamic provider credentials. You can add these as workspace variables or as a variable set.

Common Environment Variables

The below variables apply to all AWS auth types.

Required Common Environment Variables

VariableValueNotes
TFC_VAULT_BACKED_AWS_AUTHtrueRequires v1.8.0 or later if self-managing agents. Must be present and set to true, or HCP Terraform will not attempt to authenticate with AWS.
TFC_VAULT_BACKED_AWS_AUTH_TYPESpecifies the type of authentication to perform with AWS. Must be one of the following: iam_user, assumed_role, or federation_token.Requires v1.8.0 or later if self-managing agents.
TFC_VAULT_BACKED_AWS_RUN_VAULT_ROLEThe role to use in Vault.Requires v1.8.0 or later if self-managing agents. Optional if TFC_VAULT_BACKED_AWS_PLAN_VAULT_ROLE and TFC_VAULT_BACKED_AWS_APPLY_VAULT_ROLE are both provided. These variables are described below.

Optional Common Environment Variables

You may need to set these variables, depending on your use case.

VariableValueNotes
TFC_VAULT_BACKED_AWS_MOUNT_PATHThe mount path of the AWS secrets engine in Vault.Requires v1.8.0 or later if self-managing agents. Defaults to aws.
TFC_VAULT_BACKED_AWS_PLAN_VAULT_ROLEThe Vault role to use the plan phase of a run.Requires v1.8.0 or later if self-managing agents. Will fall back to the value of TFC_VAULT_BACKED_AWS_RUN_VAULT_ROLE if not provided.
TFC_VAULT_BACKED_AWS_APPLY_VAULT_ROLEThe Vault role to use for the apply phase of a run.Requires v1.8.0 or later if self-managing agents. Will fall back to the value of TFC_VAULT_BACKED_AWS_RUN_VAULT_ROLE if not provided.
TFC_VAULT_BACKED_AWS_SLEEP_SECONDSThe amount of time to wait, in seconds, after obtaining temporary credentials from Vault. e.g., 30 for 30 seconds. Must be 1500 seconds (25 minutes) or less.Requires v1.12.0 or later if self-managing agents. Can be used to mitigate eventual consistency issues in AWS when using the iam_user auth type.
TFC_VAULT_BACKED_AWS_VAULT_CONFIGThe name of the non-default Vault configuration for workspaces using multiple Vault configurations.Requires v1.12.0 or later if self-managing agents. Will fall back to using the default Vault configuration if not provided.

Assumed Role Specific Environment Variables

These environment variables are only valid if the TFC_VAULT_BACKED_AWS_AUTH_TYPE is assumed_role.

Required Assumed Role Specific Environment Variables

VariableValueNotes
TFC_VAULT_BACKED_AWS_RUN_ROLE_ARNThe ARN of the role to assume in AWS.Requires v1.8.0 or later if self-managing agents. Optional if TFC_VAULT_BACKED_AWS_PLAN_ROLE_ARN and TFC_VAULT_BACKED_AWS_APPLY_ROLE_ARN are both provided. These variables are described below.

Optional Assumed Role Specific Environment Variables

You may need to set these variables, depending on your use case.

VariableValueNotes
TFC_VAULT_BACKED_AWS_PLAN_ROLE_ARNThe ARN of the role to use for the plan phase of a run.Requires v1.8.0 or later if self-managing agents. Will fall back to the value of TFC_VAULT_BACKED_AWS_RUN_ROLE_ARN if not provided.
TFC_VAULT_BACKED_AWS_APPLY_ROLE_ARNThe ARN of the role to use for the apply phase of a run.Requires v1.8.0 or later if self-managing agents. Will fall back to the value of TFC_VAULT_BACKED_AWS_RUN_ROLE_ARN if not provided.

Configure Terraform Providers

The final step is to directly configure your AWS and Vault providers.

Configure the AWS Provider

Ensure you pass a value for the region argument in your AWS provider configuration block or set the AWS_REGION variable in your workspace.

Ensure you are not using any of the arguments or methods mentioned in the authentication and configuration section of the provider documentation. Otherwise, these settings may interfere with dynamic provider credentials.

Configure the Vault Provider

If you were previously using the Vault provider to authenticate the AWS provider, remove any existing usage of the AWS secrets engine from your Terraform Code. This includes the vault_aws_access_credentials data source and any instances of vault_generic_secret you previously used to generate AWS credentials.

Specifying Multiple Configurations

Important: If you are self-hosting HCP Terraform agents, ensure your agents use v1.12.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.

You can add additional configurations to handle multiple distinct Vault-backed AWS setups, enabling you to use multiple provider aliases within the same workspace.

For more details, see Specifying Multiple Configurations.

Required Terraform Variable

To use additional configurations, add the following code to your Terraform configuration. This lets HCP Terraform supply variable values that you can then use to map authentication and configuration details to the correct provider blocks.

variable "tfc_vault_backed_aws_dynamic_credentials" {
  description = "Object containing Vault-backed AWS dynamic credentials configuration"
  type = object({
    default = object({
      shared_credentials_file = string
    })
    aliases = map(object({
      shared_credentials_file = string
    }))
  })
}

Example Usage

provider "aws" {
  shared_credentials_files = [var.tfc_vault_backed_aws_dynamic_credentials.default.shared_credentials_file]
}

provider "aws" {
  alias = "ALIAS1"
  shared_credentials_files = [var.tfc_vault_backed_aws_dynamic_credentials.aliases["ALIAS1"].shared_credentials_file]
}