If you like Terrateam, give us a star 🌟 on GitHub.
Cloud Credentials
Terrateam provides flexible authentication and authorization options for Terraform operations, allowing you to securely manage credentials and control access to your cloud resources. In this guide, we’ll explore advanced workflows and configurations using Terrateam’s OIDC integration, static credentials, and custom scripts for generating cloud credentials.
OIDC (OpenID Connect)
Terrateam’s OIDC integration enables secure authentication against cloud providers using short-lived, dynamically generated credentials.
Benefits of OIDC over Static Credentials
Uses short-lived credentials that are automatically issued and expire quickly, reducing the risk of leaks.
Improves your security posture by eliminating long-lived credentials from your environment.
Reduces the effort needed to manage and rotate static access keys.
Lets you define specific access scopes per workflow to keep permissions tight.
Basic OIDC Configuration
To use OIDC with Terrateam, you need to configure the oidc step type in your configuration. A step type defines a specific action in your workflow, such as authentication, initialization, or execution of Terraform commands.
Workflows Example
workflows:
- tag_query: "dir:aws"
plan:
- type: oidc# Authentication step
provider: aws
role_arn: ${AWS_ROLE_ARN}
- type: init# Terraform initialization step
- type: plan# Terraform plan step
apply:
- type: oidc
provider: aws
role_arn: ${AWS_ROLE_ARN}
- type: init
- type: apply
Hooks Example
hooks:
all:
pre:
- type: oidc
provider: aws
role_arn: ${AWS_ROLE_ARN}
In these examples, OIDC is used to authenticate against AWS using the specified role_arn.
Advanced OIDC Workflows
Terrateam’s OIDC integration provides flexibility and customization options to suit your specific requirements. Here are some advanced OIDC workflows with examples:
Multiple OIDC Configurations
Define multiple OIDC configurations within a single workflow to use different roles or providers for different steps.
workflows:
- tag_query: "dir:aws"
plan:
- type: oidc
provider: aws
role_arn: ${AWS_PLAN_ROLE_ARN}
- type: init
- type: plan
apply:
- type: oidc
provider: aws
role_arn: ${AWS_APPLY_ROLE_ARN}
- type: init
- type: apply
In this example, the plan steps use a different IAM role (AWS_PLAN_ROLE_ARN) compared to the apply steps (AWS_APPLY_ROLE_ARN), allowing for granular permission control.
OIDC for Multiple Cloud Providers
Configure OIDC for different cloud providers, such as AWS and GCP, within the same workflow.
Set required permissions
Make sure your script and the credentials it generates follow the principle of least privilege:
The script should only be allowed to assume specific roles.
The assumed credentials should have only the permissions necessary for their task.
Use separate permission sets for plan and apply operations.
Best Practices
When implementing advanced authentication and authorization workflows with Terrateam, consider the following best practices:
Principle of Least Privilege: Grant the minimum set of permissions required for each workflow or step, ensuring that credentials have access to only the necessary resources.
Secure Credential Storage: Store sensitive credentials, such as static access keys or OIDC role ARNs, securely using GitHub Secrets or a secrets management system.
Regular Credential Rotation: Implement a process to regularly rotate credentials, whether static or dynamically generated, to minimize the risk of unauthorized access.