Manage credentials for HCP Terraform with Vault
As adoption of HCP Terraform grows, more organizations are incorporating it into their automated workflows and existing tooling. Interaction with the HCP Terraform API relies on auth tokens generated by the API. External systems use these tokens to automate actions in HCP Terraform, often as part of an organization’s CI/CD pipelines.
The Vault Terraform secrets engine enables you to generate, manage and revoke credentials for HCP Terraform and Terraform Enterprise while adhering to best practices of access and control.
In this tutorial, you will enable the secrets engine, configure it to generate credentials, and then manage those credentials.
Prerequisites
To perform the tasks described in this tutorial, you need to have:
- An HCP Vault cluster or a self-hosted Vault environment.
- HCP Terraform account and organization created.
Policy requirements
Each persona requires a different set of capabilities. These are expressed in policies. If you are not familiar with policies, complete the policies tutorial.
The admin tasks require these capabilities.
The apps tasks require these capabilities.
Lab setup
The tutorial requires a HCP Terraform API key.
Retrieve HCP Terraform API key
Launch a web browser and navigate to
https://app.terraform.io/session
.Click Continue with HCP account and sign in.
Expand your profile, and select Account settings.
From the side navigation, select Tokens.
Click Create an API token.
Enter "learn-vault" in the Description field.
Click Generate token.
Click the copy icon.
In a terminal, export the variable
TF_TOKEN
to the copied token value.This token enables you to generate tokens for your HCP Terraform user account. Tokens generated for teams and organizations would be able to generate tokens for their respective scope.
Start Vault
Refer to the Getting Started tutorial to install Vault. Make sure that your Vault server has been initialized and unsealed.
In another terminal, start a Vault dev server with
root
as the root token.The Vault dev server defaults to running at
127.0.0.1:8200
. The server is initialized and unsealed.Insecure operation
Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database and runs in an insecure way.
Export an environment variable for the
vault
CLI to address the Vault server.Export an environment variable for the
vault
CLI to authenticate with the Vault server.
Note
For these tasks, you can use Vault's root token. However, it is recommended that root tokens are only used for enough initial setup or in emergencies. As a best practice, use an authentication method or token that meets the policy requirements.
The Vault server is ready.
Scenario Introduction
In this tutorial, you will configure the Terraform secrets engine, create a role to generate tokens and then manage the lifecycle of these tokens.
- Enable the Terraform secrets engine
- Configure Terraform secrets engine
- Create a role
- Request Terraform credentials
- Manage leases
Enable the Terraform secrets engine
The Terraform secrets engine generates Terraform tokens dynamically based on configured roles.
Enable the Terraform secrets engine at the terraform/
path.
The Terraform secrets engine is enabled.
Configure Terraform secrets engine
The Terraform secrets engine is configured by default to communicate with HCP Terraform. The HCP Terraform API key is set in the configuration to authenticate.
Configure the Terraform secrets engine to use the TF_TOKEN
token.
Create a role
The secrets engine is configured with the credentials that you provided it. These credentials are used through roles that you define for each secrets engine. A role is a logical name within Vault that maps to HCP Terraform credentials. These roles are defined for an organization, a team, or a user.
Request the Terraform user ID for the account associated with the TF_TOKEN
.
NOTE: This example uses jq to process the JSON output for readability.
This unique ID is required to generate credentials for this user.
Create a variable to store the user ID.
Create a role named my-user
with the USER_ID
and a time-to-live of 2
minutes.
This role is ready to generate credentials for this user that stay valid for two minutes.
Request Terraform credentials
The applications or users that require the Terraform credentials read them from the secrets engine's my-user role.
Read credentials from the my-user
role.
The Terraform credentials are displayed as the token
value. The token_id
represents its unique identifier that HCP Terraform uses to maintain that ID.
Create a variable to store the token created from the my-user
role.
Request all the authentication token IDs for the user account authenticating
with the CREATED_TF_TOKEN
token.
The results of the request authenticates with the new token and returns the list of all the token ids generated.
Manage leases
The credentials are managed by the lease ID and remain valid for the lease duration (TTL) or until revoked. Once revoked the credentials are no longer valid.
List the existing leases.
All valid leases for Terraform credentials are displayed.
Create a variable that stores the first lease ID.
Renew the lease for the database credential by passing its lease ID.
The TTL of the renewed lease is set to 2m
.
Revoke the lease without waiting for its expiration.
List the existing leases.
The lease is no longer valid and is not displayed.
Read new credentials from the my-user
role.
All leases associated with a path may be removed.
Revoke all the leases with the prefix terraform/creds/my-user
.
The prefix
flag matches all valid leases with the path prefix of
terraform/creds/my-user
.
List the existing leases.
All the leases with this path as a prefix have been revoked.
Next Step
The HCP Terraform tokens that you generated are able to perform all the abilities of the account that created them. Learn more about HCP Terraform with the HCP Terraform - Get Started tutorials.
The Terraform secrets engine is configured to work with your user account. Learn how to configure it for organizations and teams by by reading the Terraform secrets engine documentation.