Vault-Backed Dynamic Credentials
Important: If you are self-hosting HCP Terraform agents, ensure your agents use v1.8.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.
For most use cases, separately configuring dynamic provider credentials with different cloud providers works well. However, Vault-backed dynamic credentials are for those looking for a way to:
The "Vault-backed" in "Vault-backed dynamic credentials" refers to Vault's secrets engines, which allow you to generate short-lived dynamic secrets for the AWS, GCP, or Azure providers. If you are using Terraform Enterprise and your Vault instance is configured within the same secure network, you can generate secrets while keeping your environment air-gapped.
Vault-backed dynamic credentials combine the features of dynamic provider credentials and Vault's secrets engines. This means you can authenticate a Vault instance using workload identity tokens and use secrets engines on that instance to generate dynamic credentials for the AWS, GCP, and Azure providers.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25544672/Jones_drives_the_solar_car_across_the_finish_line_at_the_Portofino_Hotel.jpg)
