Vault-Backed AWS Authentication Fails When Using Only Alias-Based Vault Credentials in Terraform Enterprise

Avatar
Harshit Dixit
  • Updated

 

Problem

When using Vault-backed AWS dynamic credentials in Terraform Enterprise (TFE) with only alias-based configurations and no default Vault dynamic credentials, AWS authentication fails during workspace runs with the error:

configuration for Vault authentication is required for Vault-backed AWS authentication


Prerequisites

  • Vault dynamic credentials configured using tfc_vault_dynamic_credentials

  • AWS dynamic credentials configured using tfc_vault_backed_aws_dynamic_credentials

  • Use of aliases for Vault and AWS configurations

  • Default Vault dynamic credential variables are not defined

Cause

Vault dynamic credentials and Vault-backed AWS dynamic credentials are configured independently in Terraform Enterprise.

When Vault-backed AWS authentication is used, Terraform Enterprise must resolve which Vault configuration (address, namespace, token file) to use.
If no explicit mapping is provided, TFE falls back to the default Vault configuration.

When all default Vault dynamic credential variables are removed and no mapping variable is set, Terraform Enterprise cannot resolve a Vault authentication configuration, resulting in the authentication failure.
 

Solutions:

Explicitly map the AWS dynamic credentials to a Vault alias key using workspace environment variables:

  • TFC_VAULT_BACKED_AWS_VAULT_CONFIG

  • TFC_VAULT_BACKED_AWS_VAULT_CONFIG_<TAG>

The value must:

  • Match the key defined in tfc_vault_dynamic_credentials.aliases

  • Be case-sensitive

  • Not be the Terraform provider alias

Example
If your tfc_vault_dynamic_credentials.aliases has "DEVOPS" and "STORAGE", and you want both AWS providers to use "DEVOPS"
 

TFC_VAULT_BACKED_AWS_VAULT_CONFIG=DEVOPS
TFC_VAULT_BACKED_AWS_VAULT_CONFIG_secondary=DEVOPS

If you want to use "STORAGE" for the default and "DEVOPS" for the secondary:

TFC_VAULT_BACKED_AWS_VAULT_CONFIG=STORAGE
TFC_VAULT_BACKED_AWS_VAULT_CONFIG_secondary=DEVOPS


Outcome

  • AWS authentication via Vault succeeds without default Vault dynamic credentials

  • Multiple Vault namespaces and AWS providers can be used simultaneously

  • Explicit configuration mapping prevents fallback dependency on default variables

  • Workspace runs complete successfully

Additional Information

Articles in this section

See more