Looking for dynamic credentials support in open source Terraform.
Does any one know which version will get this feature?
Any plan in near future to bring this security feature into open source distribution? Appreciate your help on this. Thanks.
The dynamic credentials feature involves the Terraform Cloud platform generating an assertion (as a JWT) that a particular Terraform process is running in the Terraform Cloud execution environment. This process relies on the fact that Terraform Cloud has a private signing key that can be trusted by the remote system.
A comparable mechanism in open source Terraform would not be viable because open source Terraform does not have a secret private key it can use for signing. Since it is software running on your own computer, it cannot “know” anything your computer doesn’t know.
However, you can already today implement such a thing yourself, if you wish. The process would be for your own software to use your own private key to sign an assertion (JWT) to send to the appropriate API endpoint in the target platform. As long as you already configured the remote system to trust your key, it will issue you temporary API credentials. You can then pass those credentials to the Terraform CLI process, which will in turn pass them to the providers.
What I’ve described above is essentially what Terraform Cloud is doing itself. Terraform Cloud is able to handle this part automatically only because:
- it has a private key that is not known outside of the platform
- it is a web service that can offer the API endpoints needed for a relying party like AWS to retrieve the corresponding public key in order to verify the certificates.
1 Like