Traditionally, developers looking to safely provision infrastructure using Terraform are given their own set of long-lived, scoped AWS credentials. While this enables the developer’s freedom, using long-lived credentials can be dangerous and difficult to secure.
- Long-lived credentials on a developer’s local machine creates a large attack surface area. If a malicious actor gains access to the credentials, they could use them to damage resources.
- Operators need to manage a large number of static, long-lived AWS IAM credentials with varying scope.
The Inject secrets into Terraform using the Vault provider will guide you through storing your long-lived AWS credentials in Vault’s AWS Secrets Engine, then leveraging Terraform’s Vault provider to generate appropriately scoped & short-lived AWS credentials to be used by Terraform to provision resources in AWS.
This alleviates the problems outlined above. Developers can provision resources without direct access to secrets. Operators are able to manage permissions by modifying a Vault role’s policy, instead of juggling static, long-lived secrets with varying scope.
By the end of this tutorial, you will learn about the benefits and considerations this approach has to offer.