OIDC Auth AWS & Azure

Is there some way to authenticate Terraform in Terraform cloud against Azure and AWS by using this new OIDC authentication method? I don’t mean OIDC for user authentication but instead the Terraform itself so it can manage AWS and Azure resources. I would really want to setup Azure and AWS credentials so that I don’t have to store secret key in Terraform cloud but instead just use the AWS assume role and for Azure the client ID. Is this possible or is this in the pipeline coming soon? What about open source Terraform version, is OIDC auth supported for Azure and AWS?

3 Likes

Terraform Cloud does not currently support OIDC. In other words, it’s not signing a token for each run that can be sent to an external service and verified. I’ve submitted a support request inquiring about whether this is being considered.

Terraform providers can support OIDC. The AWS provider already does. EKS relies on OIDC to exchange a projected Kubernetes service account token (which is an OIDC token) for IAM role credentials. There’s a recently opened issue about allowing configuration via provider attributes rather than exclusively via environment variables:

Not sure whether the Azure provider currently supports this. But in any case, it’s up to the provider rather than Terraform core.

To make use of a provider’s OIDC support, you’d have to execute Terraform in an environment capable of issuing OIDC tokens, such as GitHub Actions or an EKS cluster.

3 Likes

This goes beyond just AWS and Azure too. This could enable OIDC auth to Vault and GCP too. No more storing static credentials! I’d really like to see support added by HashiCorp to TFC and eventually TFE.

1 Like

Now both providers Azure and AWS has generic OIDC auth support, not only GitHub actions. This means Terraform Cloud could have OIDC implemented if Hashicorp would do it. I really, really would like to see this happen.

2 Likes

Hi, this is an important feature for us. Is it something Hashicorp is working on?

For those who are interested in Terraform Cloud support for OpenID Connect authentication, I’d suggest sending those requests via HashiCorp Support, since that’s the primary channel that the Terraform Cloud teams expect to receive feedback from.

This forum is instead more aimed at helping folks use the open source parts of Terraform that have no explicit support channel otherwise. Terraform Cloud teams do sometimes participate in discussions here, but it’s primarily to help with using existing Terraform Cloud features rather than to gather feedback about potential new features.

1 Like

This is absolutely a must needed feature… We can’t really switch to remote terraform runs until we have OIDC support.

3 Likes

Terraform Cloud just added beta support of OIDC called as dynamic provider credentials: https://www.hashicorp.com/blog/terraform-cloud-adds-dynamic-provider-credentials-vault-official-cloud-providers

2 Likes

This is a amazing news! Thanks Hashicorp for implementing this. :partying_face: