Skip to main content

Credentials Helpers

For OpenTF-specific features that interact with remote network services, such as module registries, OpenTF by default looks for API credentials to use in these calls in the CLI configuration.

Credentials helpers offer an alternative approach that allows you to customize how OpenTF obtains credentials using an external program, which can then directly access an existing secrets management system in your organization.

This page is about how to write and install a credentials helper. To learn how to configure a credentials helper that was already installed, see the CLI config Credentials Helpers section.

How OpenTF finds Credentials Helpers

A credentials helper is a normal executable program that is installed in a particular location and whose name follows a specific naming convention.

A credentials helper called "credstore", for example, would be implemented as an executable program named terraform-credentials-credstore (with an .exe extension on Windows only), and installed in one of the default plugin search locations.

How OpenTF runs Credentials Helpers

Once OpenTF has located the configured credentials helper, it will execute it once for each credentials request that cannot be satisfied by a credentials block in the CLI configuration.

For the following examples, we'll assume a "credstore" credentials helper configured as follows:

credentials_helper "credstore" {
args = ["--host=credstore.example.com"]
}

OpenTF runs the helper program with each of the arguments given in args, followed by an verb and then the hostname that the verb will apply to. The current set of verbs are:

  • get: retrieve the credentials for the given hostname
  • store: store new credentials for the given hostname
  • forget: delete any stored credentials for the given hostname

To represent credentials, the credentials helper protocol uses a JSON object whose contents correspond with the contents of credentials blocks in the CLI configuration. To represent an API token, the object contains a property called "token" whose value is the token string:

{
"token": "example-token-value"
}

The following sections describe the specific expected behaviors for each of the three verbs.

get: retrieve the credentials for the given hostname

To retrieve credentials for app.example.io, OpenTF would run the "credstore" helper as follows:

terraform-credentials-credstore --host=credstore.example.com get app.example.io

If the credentials helper is able to provide credentials for the given host then it must print a JSON credentials object to its stdout stream and then exit with status code zero to indicate success.

If the credentials helper definitively has no credentials for the given host, then it must print an empty JSON object to stdout and exit with status zero.

If the credentials helper is unable to provide the requested credentials for any other reason, it must print an end-user-oriented plain text error message to its stderr stream and then exit with a non-zero status code.

store: store new credentials for the given hostname

To store new credentials for app.example.io, OpenTF would run the "credstore" helper as follows:

terraform-credentials-credstore --host=credstore.example.com store app.example.io

OpenTF then writes a JSON credentials object to the helper program's stdin stream. If the helper is able to store the given credentials then it must do so and then exit with status code zero and no output on stdout or stderr to indicate success.

If it is unable to store the given credentials for any reason, it must still fully read its stdin until EOF and then print an end-user-oriented plain text error message to its stderr stream before exiting with a non-zero status code.

The new credentials must fully replace any existing credentials stored for the given hostname.

forget: delete any stored credentials for the given hostname

To forget any existing credentials for app.example.io, OpenTF would run the "credstore" helper as follows:

terraform-credentials-credstore --host=credstore.example.com forget app.example.io

No JSON credentials objects are used for the forget verb.

If the helper program is able to delete its stored credentials for the given hostname or if there are no such credentials stored already then it must exist with status code zero and produce no output on stdout or stderr.

If it is unable to forget the stored credentials for any reason, particularly if the helper cannot be sure that the credentials are no longer available for retrieval, the helper program must print an end-user-oriented plain text error message to its stderr stream and then exit with a non-zero status code.

Handling Other Commands

The credentials helper protocol may be extended with additional verbs in future, so for forward-compatibility a credentials helper must react to any unsupported verb by printing an end-user-oriented plain text error message to its stderr stream and then exiting with a non-zero status code.

Handling Unsupported Credentials Object Properties

OpenTF defines only the token property within JSON credentials objects.

If a credentials helper is asked to store an object that has any properties other than token and if it is not able to faithfully retain them then it must behave as if the object is unstorable, returning an error. It must not store the token value in isolation and silently drop other properties, as that might change the meaning of the credentials object.

If technically possible within the constraints of the target system, a credentials helper should prefer to store the whole JSON object as-is for later retrieval. For systems that are more constrained, it's acceptable to store only the token string so long as the program rejects objects containing other properties as described above.

Installing a Credentials Helper

OpenTF does not have any automatic installation mechanism for credentials helpers. Instead, the user must extract the helper program executable into one of the default plugin search locations.

If you are packaging a credentials helper for distribution, place it in an named with the expected naming scheme (terraform-credentials-example) and, if the containing archive format supports it and it's meaningful for the target operating system, mark the file as executable to increase the chances that it will work immediately after extraction.

OpenTF does not honor the -plugin-dir argument to opentf init when searching for credentials helpers, because credentials are also used by other commands that can be run prior to opentf init. Only the default search locations are supported.