Specifying Multiple Configurations
Important: If you are self-hosting Terraform Cloud Agents, ensure your agents use v1.12.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.
You can create multiple dynamic credential configurations of the same provider in a workspace.
Each configuration generates a distinct workload identity token, allowing you to create aliases for different provider configurations within the same workspace. You can specify unique audience values per configuration, and manually generate multiple tokens.
Specifying multiple dynamic credential configurations in Terraform Cloud builds on the existing method of providing each provider's environment variables to a workspace. The process requires mapping well-known authentication input variables to the correct providers.
Configure Terraform Cloud
You can specify additional dynamic credentials configurations by defining and appending a “tag” to the end of your existing required environment variables: [DYNAMIC_CREDENTIALS_VAR_NAME]_[YOUR_TAG]
.
Your tag can only contain letters, numbers, and underscores and can not use reserved keywords. The following keywords are reserved: TYPE
.
Example
Using Vault's dynamic credentials setup as an example, we can create additional configurations by setting new tagged variables that match Vault's required environment variables. So, if you want to add a configuration with the tag ALIAS1
, you must set environment variables for TFC_VAULT_PROVIDER_AUTH_ALIAS1
, TFC_VAULT_ADDR_ALIAS1
, and TFC_VAULT_RUN_ROLE_ALIAS1
.
Configure Terraform Code
Each supported provider has input variables you must declare in your Terraform code to use dynamic credentials with that provider. Each dynamic provider's documentation page lists the required variables for that provider. Terraform Cloud provides values for these variables during runs, which you can use to authenticate Terraform Cloud with providers using dynamic credentials.
Use the input variable values that Terraform Cloud provides to map configuration values to the correct provider blocks. Authentication information for the default provider exists in a variable's top-level default
object, while each additional configuration exists under a variable's aliases
map. Terraform Cloud generates the keys of the aliases
map based on the tag you define in your Terraform Cloud configuration.
Important: If you add additional configurations to a workspace, you need to manually map authentication information for all providers including the default provider.
Example
Continuing from the example above, after setting the required environment variables for your provider, add the following code to your Terraform configuration. This lets Terraform Cloud supply variable values that you can use to map authentication and configuration details to the correct provider blocks.
variable "tfc_vault_dynamic_credentials" { description = "Object containing Vault dynamic credentials configuration" type = object({ default = object({ token_filename = string address = string namespace = string ca_cert_file = string }) aliases = map(object({ token_filename = string address = string namespace = string ca_cert_file = string })) })}
Use the above object to map authentication information to the correct provider block. For this example, index into the aliases
map with your alias's tag (ALIAS1
) and the default
provider object.
provider "vault" { // Set this to true as TFC manages the token lifecycle skip_child_token = true address = var.tfc_vault_dynamic_credentials.default.address namespace = var.tfc_vault_dynamic_credentials.default.namespace auth_login_token_file { filename = var.tfc_vault_dynamic_credentials.default.token_filename }} provider "vault" { // Set this to true as TFC manages the token lifecycle skip_child_token = true alias = "ALIAS1" address = var.tfc_vault_dynamic_credentials.aliases["ALIAS1"].address namespace = var.tfc_vault_dynamic_credentials.aliases["ALIAS1"].namespace auth_login_token_file { filename = var.tfc_vault_dynamic_credentials.aliases["ALIAS1"].token_filename }}