Is there some way to authenticate Terraform in Terraform cloud against Azure and AWS by using this new OIDC authentication method? I don’t mean OIDC for user authentication but instead the Terraform itself so it can manage AWS and Azure resources. I would really want to setup Azure and AWS credentials so that I don’t have to store secret key in Terraform cloud but instead just use the AWS assume role and for Azure the client ID. Is this possible or is this in the pipeline coming soon? What about open source Terraform version, is OIDC auth supported for Azure and AWS?
Terraform Cloud does not currently support OIDC. In other words, it’s not signing a token for each run that can be sent to an external service and verified. I’ve submitted a support request inquiring about whether this is being considered.
Terraform providers can support OIDC. The AWS provider already does. EKS relies on OIDC to exchange a projected Kubernetes service account token (which is an OIDC token) for IAM role credentials. There’s a recently opened issue about allowing configuration via provider attributes rather than exclusively via environment variables:
Not sure whether the Azure provider currently supports this. But in any case, it’s up to the provider rather than Terraform core.
To make use of a provider’s OIDC support, you’d have to execute Terraform in an environment capable of issuing OIDC tokens, such as GitHub Actions or an EKS cluster.
This goes beyond just AWS and Azure too. This could enable OIDC auth to Vault and GCP too. No more storing static credentials! I’d really like to see support added by HashiCorp to TFC and eventually TFE.