Skip to content

User-based provider credentials #5139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dklesev opened this issue Nov 20, 2022 · 3 comments
Closed

User-based provider credentials #5139

dklesev opened this issue Nov 20, 2022 · 3 comments

Comments

@dklesev
Copy link

dklesev commented Nov 20, 2022

Currently to be able to upload a template it seems to be required to have credentials to be preset for the used providers (f.e. AWS with AWS_ACCESS_KEY_ID aso.)

Will there be an option to let the user set those values on workspace creation? Or is this already possible?

Anything I try results in smtg like this:

Error: key (), secret are missing, or config file not found within: /tmp/provisionerd893460570/cloudstack.ini, /tmp/provisionerd893460570/cloudstack.ini, /.cloudstack.ini

Use-case: one team writes templates and offers them for usage (like a template provider) and any user can run them in his own account. Provider credentials could be preset in the user profile.
@bpmct
Copy link
Member

bpmct commented Nov 20, 2022

Hey @dklesev. You can use variables in Terraform as workspace-scoped parameters if you set sensitive = false. Then, you can pass that variable into the provider block.

This allows users to specify unique AWS access keys when creating workspaces. I haven't tested this so there may be typos, but here's the general structure:

variable "aws_access_key_id" {
  sensitive = false
}
variable "aws_secret_key_id" {
  sensitive = false
}

variable "region" {
  sensitive = false
}

provider "aws" {
  region     = var.region
  access_key = var.aws_access_key_id
  secret_key = var.aws_secret_key_id
}

@bpmct
Copy link
Member

bpmct commented Nov 20, 2022

One downside of using sensitive = false is the users' access key may be revealed in the build logs (something you should confirm to be sure). However, we are using sensitive = true to indicate that the variable is scoped for the entire template.

We plan on using a separate resource for parameters for more flexibility (e.g. "workspace-scoped AND sensitive") in #4311, but this is a WIP.

@dklesev
Copy link
Author

dklesev commented Nov 20, 2022

thx, seems to work, just missed the sensitive = false part.
already excited towards the new feature!

@dklesev dklesev closed this as completed Nov 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dklesev @bpmct