Apply for invite to IaCP

Terraform Provider Authentication

Overview

Scalr IaC Platform uses Terraform variables to pass provider credentials during the Terraform runs. In cases where a top provider is used, like AWS, Azure, Google, and VMware, the credentials can be stored at the Scalr account level and will automatically be passed as a variable to the provider. All sensitive variables, like credentials, will be hidden in the UI and output.

Using Terraform Provider Credentials Scalr

Built-In Provider Credentials

Terraform allows the credentials required by providers to be consumed from environment variables when using the CLI. For example if using AWS you can declare two variables in you local environment and then code the provider with just the region parameter.

export AWS_ACCESS_KEY_ID=[ACCESS_KEY_VALUE]
export AWS_SECRET_ACCESS_KEY=[SECRET_KEY_VALUE]

Then your template would simply contain a provider block like this.

provider "aws" {
  region     = var.region
}

Scalr enables the same approach by automatically publishing the cloud credentials for an environment into workspaces as variables. This enables provider configurations in the template to consume the credentials that are configured in Scalr in a secure manner without the need to access external secret storage systems or code credentials into tfvars files.

Built-in cloud credential variables are currently implemented for AWS, Azure, Google, and VMware providers and only the credentials that are linked to an environment are published.

This feature allows templates that are being run via any method to consume the credentials, including template registry, CLI runs and automated runs from VCS.

The variables that are published for each cloud can be viewed on the “variables” tab of a Workspace. These variables cannot be edited via the UI or API/CLI and they are set as “sensitive” so the values are masked from view.

../_images/creds_gvs.png

Non Built-In Provider Credentials

If you are using a provider that is not in the built-in list, you can still use that provider and pass the credential through a Terraform variable or an environment variable.

  • If a Terraform variable: The credential variable must be declared in the Terraform template and variables file. The value can then be placed in the Scalr UI -> workspaces -> Terraform variables.

  • If an environment variables: The credential does not need to be declared in the Terraform template or variables file. The value must be placed in the Scalr UI -> workspaces -> environment variables.

Each provider will describe how to authenticate to it. For example, Oracle is not a built-in credential, but it is fully supported as Scalr supports any terraform provider. The Oracle provider supplies documentation on how to authenticate:Oracle Cloud Platform Provider