How does Terraform handle provider authentication in different environments?
Answer
Production Terraform provider authentication best practices by environment: Local development: AWS CLI credentials from ~/.aws/credentials or environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY). Use named profiles: provider "aws" { profile = "dev-account" }. CI/CD (GitHub Actions): use OIDC — configure GitHub Actions as a trusted IdP in AWS/Azure, then assume an IAM role using a short-lived token: aws-actions/configure-aws-credentials@v4 with role-to-assume. No long-lived secrets needed. EC2/ECS/Lambda: use Instance Profiles / Task Roles — IAM roles attached to the compute resource; Terraform automatically uses the metadata service. Kubernetes (EKS/GKE): Workload Identity (GKE) or IRSA (IAM Roles for Service Accounts on EKS) — bind the Terraform runner's service account to a cloud IAM role. Terraform Cloud: configure dynamic provider credentials via OIDC for all major clouds. The golden rule: no long-lived credentials stored in files, environment variables, or CI secrets — use OIDC or instance roles wherever possible.
Previous
What are common Terraform anti-patterns and pitfalls?
Next
What is OpenTofu and how does it relate to Terraform?
More Terraform / IaC Questions
View all →- Advanced What is Terraform's provider development and custom providers?
- Advanced What is Policy as Code with Sentinel in Terraform?
- Advanced How does Terraform handle dependencies between resources?
- Advanced What is the Terraform CDK (CDKTF)?
- Advanced What are advanced Terraform state management operations?