Enable self-service workflows with Vault-backed dynamic credentials
Vault-backed dynamic credentials let you provision infrastructure in HCP Terraform using short-lived, strictly-scoped credentials managed by Vault, eliminating the need to store long-lived static credentials in your HCP Terraform projects and workspaces. This workflow also enhances your security posture by letting you scope which projects and workspaces can use the generated credentials.
To enable Vault-backed dynamic credentials for your organization, you must create a trust relationship between HCP Terraform and Vault that defines which projects and workspaces can request the credentials. Rather than managing credentials and their access, this workflow requires managing and carefully configuring the trust relationships. This workflow is based on the OpenID Connect protocol (OIDC), an open source standard for verifying identity across different systems.
In this tutorial, you will enable Vault-backed dynamic credentials and use HCP Terraform projects and variable sets to enable a self-service workflow. First, you will configure Vault's secrets engine for AWS. Then you will use the Terraform Enterprise provider to create an HCP Terraform team and project to manage your trust relationships. The provider will also create a variable set containing the values needed to create new trust relationships for future projects and workspaces. You will then create two trust relationships, one for a single workspace and one for an entire project. Then you will deploy infrastructure using dynamic credentials created from these trust relationships with both a traditional workspace and a no-code module.
Prerequisites
This tutorial assumes that you are familiar with the Terraform, HCP Terraform, and Vault workflows. If you are new to Terraform, complete the Get Started collection first. If you are new to HCP Terraform, complete the HCP Terraform Get Started collection first. If you are new to Vault, complete the Vault foundations collection.
This tutorial also assumes you are already familiar with dynamic credentials. If you are new to dynamic credentials, refer to the Authenticate Providers with Dynamic Credentials and Authenticate Providers with Vault-Backed Dynamic Credentials tutorials to learn how to create them.
For this tutorial, you will need:
- Terraform v1.2+ installed locally.
- An HCP Terraform account and Organization with Teams enabled, or a Terraform Enterprise instance.
- A Vault cluster. We recommend you use a non-production HCP Vault cluster to complete this tutorial.
- An AWS account with local credentials configured for use with Terraform.
Note
Teams are available in HCP Terraform Standard Edition. Refer to HCP Terraform pricing for details.
Clone example repository
Visit the template
repository
for this tutorial. Click the Use this template button and select Create a
New Repository. Choose the GitHub owner that you use with HCP Terraform, and
name the new repository learn-terraform-dynamic-credentials-no-code
. Leave the
rest of the settings at their default values.
Clone the new repository, which contains Terraform configuration you will use to create your trust project, trust relationships, and infrastructure. Find the URL to your repository by clicking the Code button on GitHub, or customize the following command.
Replace <YOUR_USERNAME>
with your GitHub user name.
Change into the example repository directory.
Create trust relationship project
In this step, you will configure Vault's secrets engine for AWS and create an HCP Terraform team, project, and variable set to manage your trust relationships. Later in this tutorial you will use this project to create trust relationships that will allow the workspaces and projects you specify to provision infrastructure with Vault-backed dynamic credentials.
Review the configuration to understand how your trust project will work.
Change into the trust-project
subdirectory.
This directory contains the configuration required to set up Vault's secrets engine for AWS and an HCP Terraform project to manage your trust relationships. You will use Terraform to provision the trust project in your HCP Terraform organization, and then create and manage your all of your trust relationships in the project. To bootstrap this workflow, you will apply this configuration by running Terraform commands locally using standard credentials.
Review cloud provider configuration
Open aws.tf
and review the configuration.
The configuration first configures the AWS provider, and defines an IAM user and access key that Vault's secrets engine will use to provision your dynamic credentials.
The configuration uses the random provider to generate a unique, randomized username for the Vault secrets engine user.
Warning
Terraform will store the credentials that AWS generates for your
aws_iam_access_key.trust_relationships
resource in your workspace's state.
Always keep your state file secure.
Next, the configuration defines an IAM user policy and role for the AWS user to assume.
After you create the trust relationship, Vault will assume this user's role to provision dynamic credentials.
Review Vault configuration
Open vault.tf
and review the configuration for your trust relationship.
This configuration uses the Vault provider to enable Vault's AWS secrets engine
and configures it to authenticate with the IAM user and credentials defined in
aws.tf
.
The Vault secrets engine will use these credentials to access the role defined in the previous section. That role has the permissions required to create the IAM roles that your trust relationships will use.
Next, the configuration defines a JWT authentication backend, which implements the OpenID standard.
Finally, the configuration defines the Vault policy that allows Vault-backed dynamic credentials access to the AWS secrets engine, and a user attached to that policy. In the next section, you will use this user to create trust relationships.
Review HCP Terraform Configuration
Open tfe.tf
and review the configuration for your trust relationship project.
This configuration creates a project-scoped variable set containing all of the
credentials and settings you will need to create trust relationships. This is an
example of one way that a security team could manage trust relationships for
other projects and teams. By maintaining a single project for all trust relationships with individual workspaces for each trust relationship, you can easily share required credentials at the project level while reducing the scope of each workspace to only the logically-related resources.
After defining the provider, the configuration creates the project for your trust relationships, a team with permissions to manage workspaces and projects, and a token for that team.
Later in this tutorial, you will use the team's token to authenticate with HCP Terraform and create the workspaces and projects for your infrastructure.
Finally, the configuration defines a variable set with all of the variables you will need to provision trust relationships. In this example scenario, the security team manages multiple trust relationships for other teams in the organization. Each trust relationship is managed in its own workspace.
Later in this tutorial, your workspaces will use these variables to create two trust relationships: one that allows dynamic credentials for a single workspace, and one with access for an entire project.
Create trust project
In the trust-project
directory, copy the example .tfvars
file to create a
new variables file that configures your organization and workspace name.
Open terraform.tfvars
and configure the variables for the trust project.
Replace <YOUR_ORG>
with your HCP Terraform organization name, and
<YOUR_VAULT_CLUSTER>
with your Vault cluster's public URL. If you are using
HCP Vault to complete this tutorial, navigate to your cluster, find the
Cluster URLs tool, and click Public to copy it to your clipboard.
Note
You will also need an administrator token to provision Vault resources. If you
are using HCP Vault, find the New admin token tool, and click Copy to
copy it to your clipboard. Then export it as an environment variable: export
VAULT_TOKEN=<PASTE_TOKEN>
.
Initialize configuration
Initialize the configuration for your trust project.
Apply configuration
Apply this configuration to create the Vault AWS secrets engine, OIDC
connection, trust project, and related resources. Respond to the confirmation
prompt with a yes
.
Open the trust_project_url
output value in your web browser to review your new
trust project. In the next sections you will create two trust relationships in workspaces in this project.
Open the trust_varset_url
to review the variables that you configured for your trust project.
Create a trust relationship for a single workspace
In this section, you will use your trust project to create a trust relationship scoped to a single workspace. Then you will use that workspace to provision infrastructure with dynamic credentials.
Review configuration
In the example repository that you cloned to your local machine, the
trust-relationship-ec2
directory contains the configuration required to create
a trust relationship with AWS that allows you to manage EC2 instances. Review
the configuration now.
Open trust-relationship-ec2/aws.tf
. This file contains an IAM policy and role
that allows access to EC2, and allows the Vault secrets engine user to assume
this role.
Open vault.tf
. This configuration sets up the trust relationship in Vault, and
assigns the policy created by aws.tf
to it. It authenticates to Vault with the
Vault user you created when you created your trust project in the previous step.
The vault_jwt_auth_backend_role.aws_secret_backend_role
role configures the
trust relationship, and sets the sub
claim to match your organization, project
name, and workspace name. Your project variable set contains a variable value for the organization name, and you will set an input variable for the workspace name. You will leave the project name set to its default value, “Default Project”.
Open tfe.tf
to review the configuration for your workspace and variables.
The configuration sets several required and optional values. Refer to the Vault-backed dynamic credentials documentation to learn how these variables work. Your workspace will reference these variables along with the variables in the project-scoped variable set to create your resources.
Create trust relationship workspace
The previous step created a project configured with all of the variables needed to manage your trust relationships. You will now create a workspace in that project. This workspace will provision a new HCP Terraform workspace in which to manage infrastructure, and configure a trust relationship that lets that workspace using dynamic credentials for runs.
Visit your trust project, either by logging into your HCP Terraform account
and navigating to it, or pasting the trust_project_url
output value from your
trust project into your web browser. Then follow these steps to create the
workspace for your first trust relationship.
- Create a new version-control driven workspace
- Choose the learn-terraform-dynamic-credentials-no-code GitHub repository. If you have not yet connected your GitHub account to HCP Terraform, follow the prompts to do so. Refer to the Use VCS-Driven Workflow tutorial for detailed instructions.
- On the Configure settings step, set the following options:
- Set the Workspace name to
trust-project-vulcan
. - Set the Project to the name of your trust relationships project, which was displayed in the outputs of the last run.
- Expand the Advanced options interface, and set the Terraform Working Directory to
trust-relationship-ec2
.
- Set the Workspace name to
- Click Create workspace to create the workspace.
After you create the workspace, set the following workspace-specific variables:
Variable category | Key | Value | Sensitive |
---|---|---|---|
Terraform variable | tfc_workspace_name | project-vulcan | No |
Terraform variable | vcs_oath_client_name | Your OAuth client name for GitHub | No |
Terraform variable | vcs_identifier | The path to your forked GitHub repository | No |
Terraform variable | vcs_working_directory | infra | No |
Note
You can find the name of your OAuth client for GitHub in your HCP Terraform organization's settings under Version Control => Providers. The name of the OAuth client is displayed next to the GitHub "octocat" icon. Your VCS identifier will be the path to your forked GitHub repository, usually your username followed by a slash and the name of the repository, such as "<YOUR_GITHUB_USERNAME>/learn-terraform-dynamic-credentials-no-code".
The trust relationship you will define for this workspace will let it access dynamic credentials that allow you to create EC2 instances.
Note
This tutorial's infrastructure and trust relationship configuration are in the same GitHub repository. You may wish to structure the configuration differently based on your organization's separation of responsibility.
Expand your workspace's Actions menu, select Start a new run, then click the Start run.
Once the plan is complete, click Confirm & Apply followed by Confirm Plan to apply it. Once the apply is complete, note the output values. Your trust workspace created the workspace you will use to provision your infrastructure, and configured it with the correct workspace-specific variables to use the trust relationship. The output values also include the IAM role that Vault will assign to your workspace's dynamic credentials. In your own organization, you can scope this IAM role to the permissions the target workspace or project needs.
Open the URL given for the workspace_url output value to visit your workspace.
Provision infrastructure with trust relationship workspace
On the workspace's Overview tab, start a new run for this workspace by selecting Start new run from the workspace's Actions menu, then click Start run. Once the apply is complete, note the output values, including the URL of your EC2 instance.
HCP Terraform provisioned your EC2 instance with dynamic credentials. Since you created a trust project, you can use it to create and manage your trust relationships for all of your workspaces and projects.
Create a trust relationship for a project
While you can create trust relationships for individual workspaces, you must also consider the time and effort required to manage these trust relationships. In some cases it may be more efficient to establish a trust relationship for an entire HCP Terraform project rather than individual workspaces. This would allow all workspaces in the project to request and use dynamic credentials.
In this section, you will establish a trust relationship for an entire project. Each workspace you create in the project will use the same trust relationship to manage your resources.
Review configuration
The configuration for this trust relationship is in the trust-relationship-s3
directory inside the example repository. This configuration is similar to the
configuration you used to create the trust relationship in the previous section.
Review the differences between them.
First, open trust-relationship-s3/aws.tf
.
Instead of allowing actions on EC2 instances, this policy allows access to S3 buckets.
Open vault.tf
to review the vault configuration. This configuration sets a
different name for the Vault AWS secrets backend role. Each role name in your
secrets engine must be unique. While it sets the same value for sub
, you will
set the tfc_project_name
variable to be the name of the project you will
create trust relationship for, and leave tfc_workspace_name
to its default
value (*
) to enable the trust relationship for any workspace in your project.
Next, review the HCP Terraform configuration in tfe.tf
. The configuration
for your single-workspace trust relationship created a workspace and assigned
the variables for your trust relationship on that workspace. This configuration
creates a project, and a variable set for that project. The variable set will be
applied to all workspaces in your project, so any workspace you create in the
project will use the trust relationship to access dynamic credentials for its runs. Since your organization name
and project name are configured in the sub
claim you reviewed in the
vault.tf
file, and the workspace name is *
, the trust relationship is valid
for any workspace in your project.
Note
This example duplicates some of the configuration between the two trust relationships. You may prefer to encapsulate this configuration in one or more modules simplify managing trust relationships.
In the next section, you will provision a trust relationship and project with this configuration.
Create trust relationship workspace
In this section, you will create a use HCP Terraform to provision a new project and a trust relationship scoped to that project. Navigate to the trust project you created at the start of the tutorial, then follow these steps to create the workspace:
- Create a new version-control driven workspace.
- Choose the
learn-terraform-dynamic-credentials-no-code
GitHub repository. - On the Configure settings step, set the following options:
- Set the workspace name to
trust-project-phoenix
. - Set the project to your trust relationships project.
- Expand the Advanced options interface, and set the Terraform Working Directory to
trust-relationship-s3
.
- Set the workspace name to
- Click Create workspace to create the workspace.
After you create the trust workspace, set a workspace-specific variable for the project name:
Variable category | Key | Value | Sensitive |
---|---|---|---|
Terraform variable | tfc_project_name | S3 Websites | No |
The configuration will create a new HCP Terraform project and assign a project-scoped variable set that contains the values for the new trust relationship.
Start a new run for this workspace by selecting Start new run from the workspace's Actions menu, then click Start run. Once the plan is complete, click Confirm & Apply and then Apply Plan to apply it. After the apply completes, note the output values. This workspace created a new project and a variable set containing the variables that the child workspaces in the project can use to access dynamic credentials.
Create a no-code module
In this tutorial, you will use a no-code module to provision a workspace for the S3 Websites project. This workspace will use the trust relationship you created in the previous step to provision your S3 bucket with dynamic credentials managed by Vault. This way, anyone in your organization with the permissions to create a no-code workspace in the “S3 Websites” project can deploy an S3-backed static website without needing to configure AWS credentials or write Terraform configuration.
Create no-code module repository
Visit the template
repository for
this tutorial. Click the Use this template button and select Create a New
Repository. Choose the GitHub owner that you use with HCP Terraform, and
name the new repository terraform-aws-s3-website
. Leave the rest of the
settings at their default values.
Then, create a release in your repository. Select Releases from the right side of your repository's GitHub page, and click the Create new release button. Follow the instructions to create a new tag named "1.0.0". Give the release a title of "First release", leave the rest of the options at their default values, and click the green Publish release button.
Next, visit the registry for your HCP Terraform organization, and create the no-code module. From the main Registry page for your HCP Terraform organization, use the Publish > Module interface to create your no-code module.
- Select your GitHub version control provider.
- Select the
terraform-aws-s3-website
repository you just created. - Select the Add Module to no-code provision allowlist option, and click the purple Publish module button to publish your no-code module.
Deploy no-code module
It may take a few minutes for HCP Terraform to create your no-code module. Once it does, deploy your module in the S3 Websites project you just created.
- From your no-code module's page, select the purple Provision workspace button.
- This module does not require any variables, so click the Next: Workspace settings button to continue.
- On the Configure workspace settings page:
- Name the workspace "example-s3-website".
- Select the S3 Websites project.
- Select the Manual apply option.
- Leave the other options at their default values, and click the Create workspace button.
Once your workspace is created, HCP Terraform will redirect you to the workspace's Overview page.
Start a new run for this workspace by using the Actions interface to select Start a new run, then click the Start run on the dialog box.
Once the plan is complete, click Confirm & Apply and then Apply Plan to apply it. Once the apply is complete, note the output values, including the hostname for your new S3 bucket.
In this tutorial, you created an HCP Terraform project to manage your trust relationships. Then, you used the project to create trust relationships for a single workspace and for an entire project. You used these trust relationships to provision infrastructure with vault-backed dynamic credentials.
In your organization, different teams may be responsible for managing trust relationships and deploying infrastructure. For example, a security team could configure and manage the workspaces that define trust relationships, while infrastructure teams configure and manage downstream workspaces that use the trust relationships from the security team. When different teams manage trust and infrastructure, consider how you will coordinate changes to maintain scoped trust relationships while still enabling the downstream teams that rely on them. This tutorial demonstrates one example pattern that you could use to do so.
Remember that trust relationships reference your organization, project, and workspace names, so changing any of those values within HCP Terraform can potentially break your trust relationships.
Clean up your infrastructure
Remove the infrastructure and trust relationship that you created in this tutorial.
Destroy infrastructure
Remove the infrastructure you created in this tutorial.
In your "S3 Buckets" project, select the "example-s3-website" workspace, and navigate to Settings > Destruction and Deletion. From that page, select the Queue destroy plan button and follow the prompts to destroy your S3 bucket. Once the plan is complete, click Config & Apply and then Apply Plan to destroy your S3 bucket.
Once you have destroyed your S3 bucket, return to the Destruction and Deletion page and click the Delete from HCP Terraform button. Follow the prompts to remove the "example-s3-website" workspace.
Next, remove your no-code module. Navigate to your organizations Registry page and select the code-s3-website module. From the module details page, select the Manage Module for Organization > Delete module button. Follow the prompts to delete your module from HCP Terraform.
Then, find the "project-vulcan" workspace. Navigate to Settings > Destruction and Deletion. From that page, select the Queue destroy plan button and follow the prompts to destroy your EC2 instance. Do not delete the project-vulcan workspace from HCP Terraform. This will happen automatically when you remove the trust relationship.
Then destroy the infrastructure and remove the two workspaces in your trust project. Navigate to the trust project in your HCP Terraform organization. Then select the "trust-project-vulcan" workspace, and navigate to Settings > Destruction and Deletion. From that page, select the Queue destroy plan button and follow the prompts to destroy the trust relationship.
Once the trust relationship has been destroyed, return to the Destruction and Deletion page, select the Delete from HCP Terraform button, and follow the prompts to delete the workspace from HCP Terraform.
Then, return to your Trust Project, select the "trust-project-phoenix", and repeat the previous steps to destroy that trust project and remove the workspace from HCP Terraform.
Now that you have removed all of the resources you created with dynamic
credentials and the two trust relationships, return to your command prompt to
destroy your trust project and related infrastructure. Respond to the
confirmation prompt with yes
.
Next steps
In this tutorial, you created a project to manage Vault-backed trust relationships. You used this project to create a trust relationship for a single workspace, and another trust relationship for an entire project.
Refer to the following resources to learn more about dynamic credentials.
Refer to the terraform-dynamic-credentials-setup-examples GitHub repository for other example configurations.
Read the dynamic credentials documentation for more details about how to configure your trust relationships.
You can also manually generate custom auth tokens for custom authentication workflows or providers that do not natively support dynamic credentials.