I’m working on adding support for Dynamic Provider Credentials to a provider, and so far I’ve got the basics working with the TFC_WORKLOAD_IDENTITY_TOKEN environment variable. I’m trying to figure out the best strategy for determining what run phase is currently being executed to use different identity IDs for the plan and apply phase, much like the other providers that support Dynamic Provider Credentials can do. Looking through those code bases it’s not quite clear how they’re doing that. Seems like it’d be easy enough to inspect the subject of the provided token, but I’d also like this to work for other authentication methods, like GH tokens, or any OIDC IdP token. Is there some API property or environment variable with the information?
Maybe this idea doesn’t actually make sense. In other environments they’d essentially just be running terraform plan and terraform apply and could pass different client ids in as variables.
Could you expand a little on the use-case you’re describing by by of providing code snippets (e.g., configuration and schema) to illustrate the goal you’re trying to achieve? Thanks.