Securing API Keys/Passwords/SSH Keys in Terraform

stevenjw0228001 · March 15, 2021, 9:40pm

I am looking into how to secure things like API keys within my terraform code. I am using terraform to push config and changes to palo alto Firewalls and this requires an API key. So the example is this:

# Configure the panos provider
provider "panos" {
    hostname = "127.0.0.1"
    json_config_file = "../panos-creds.json"
}

Then the solution to filling the creds is this:

{
    "hostname": "127.0.0.1",
    "api_key": "secret",
    "timeout": 10,
    "logging": ["action", "op", "uid"],
    "verify_certificate": false
}

So to me this seems like they are calling the json file to fill the credentials for api access to the palo alto. The issue is how do we secure the json file that lies in the terraform folder structure? How can I use something like AWS KMS for this? Is that an option?

grantorchard1 · March 16, 2021, 12:52am

The simplest way to address this is to use environment variables, which the provider will read in natively rather than configuring them in the provider block itself. You can find examples here:
https://registry.terraform.io/providers/PaloAltoNetworks/panos/latest/docs#username

stevenjw0228001 · March 16, 2021, 3:22pm

Which this works for not loading creds to versioning platform like GitHub, but then the creds are still local to the box pushing the code. Beside Hashicorp vault how can we store these somewhere with encryption? Thats why I was asking about aws kms.

Topic		Replies	Views
Recommended best practices for storing API credentials? Terraform	6	5992	January 2, 2020
Where exactly do I put my AWS access key and secret key when using Terraform Cloud? AWS	1	4114	February 10, 2020
S3 backend prompt for credentials? Terraform	2	210	May 23, 2022
[Feedback wanted] Securely Configure AWS Backend Credentials (Terraform) Vault vault	0	271	April 10, 2022
Handling SSH auth in Terraform Cloud Terraform	2	327	June 8, 2023

Securing API Keys/Passwords/SSH Keys in Terraform

Related topics