The HCP provider accepts two forms of authentication:
v0.45.0
)Only one form is needed.
Client credentials are recommended for CI and local development with the SDK or any tool consuming it.
The client_id
and client_secret
must come from a service principal key. Service principals and service principal keys can be created in the HCP portal with an existing user account. The service principal must be authorized to access the API. Initially, it has no permissions, so the IAM policy must be updated to grant it permissions.
Follow these steps to create service principal with the contributor
role and a service principal key.
Once you have registered and logged into the HCP portal, navigate to the Access Control (IAM) page. Select the Service Principals tab and create a new service principal. Give it the role Contributor, since it will be writing resources.
Once the service principal is created, navigate to its detail page by selecting its name in the list. Create a new service principal key.
Save the client ID and secret as the environment variables HCP_CLIENT_ID and HCP_CLIENT_SECRET.
Or, configure the provider with the client ID and secret by copy-pasting the values directly into provider config.
// Credentials can be set explicitly or via the environment variables HCP_CLIENT_ID and HCP_CLIENT_SECRET
provider "hcp" {
client_id = "service-principal-key-client-id"
client_secret = "service-principal-key-client-secret"
}
HCP_CLIENT_ID="..."
HCP_CLIENT_SECRET="..."
When client credentials are set, they are always used by the HCP Provider client, regardless of an existing user session.
After v0.45.0
, the HCP Provider supports user session via browser login. User session is ideal for getting started or one-off usage. It works for local development, but will periodically prompt for re-authentication.
To obtain user credentials, the client credential environment variables HCP_CLIENT_ID
and HCP_CLIENT_SECRET
must be unset.
Upon running terraform apply
or terraform plan
, your web browser will navigate to the HCP portal, where you will be prompted to login. Once logged in, you may create new or manage existing resources fully authenticated. Your session will last 24 hours before prompting you to reauthenticate.
// If no credentials are set, a user session can be obtained through browser login.
provider "hcp" {}