Terrakube
Home
2.21.0
2.21.0
  • Introduction
  • Updates
  • Getting started
    • 📐Architecture
    • 🔐Security
    • 🚀Getting Started
    • 💿Docker Images
    • 🌐Docker Compose
    • 🚗Docker Compose + Traefik
    • 📥Deployment
      • 🔨Helm Chart
      • 🚀Minikube
      • 🔑Minikube + HTTPS
      • ✈️Ingress Configuration
      • 🔐User Authentication (DEX)
      • 💾Storage backend
        • Azure Storage Account
        • Amazon Cloud Storage
        • Google Cloud Storage
        • Minio (S3 compatible)
      • 🛰️Database Backend
        • SQL Azure
        • PostgreSQL
        • MySQL
        • H2
      • 🔐Custom CA Certs
      • ⚙️Custom Terraform CLI Builds
      • 👮Self-Hosted Agents
      • 📶Proxy Configuration
      • 🛡️Token Security
      • 🚦Open Telemetry
    • 🤵User Management
      • Azure Active Directory
      • Google Cloud Identity
      • Amazon Cognito
      • Github
  • 📓User Guide
    • Organizations
      • Creating an Organization
      • Global Variables
      • Team Management
      • API Tokens
      • Templates
        • Default Templates
        • Persistent Context
        • Import Templates
        • UI Templates
        • Filter global variables in jobs
        • Template Scheduling in Jobs
      • Tags
    • VCS Providers
      • Github
      • Github Enterprise
      • GitLab
      • Gitlab EE and CE
      • Bitbucket
      • Azure DevOps
      • SSH
    • Workspaces
      • Overview
      • Creating Workspaces
      • Terraform State
      • Share Workspace State
      • Variables
      • Dynamic Provider Credentials
        • AWS Dynamic Provider Credentials
        • Azure Dynamic Provider Credentials
        • GCP Dynamic Provider Credentials
      • Workspace scheduler
      • API-driven Workflow
      • CLI-driven Workflow
      • Ephemeral Workspaces
      • Actions
        • Developing Actions
          • Quick start
          • Display Criteria
          • Action Types
          • Action Context
          • Action Proxy
        • Built-in Actions
          • Open Documentation
          • Resource Details
          • Open in Azure Portal
          • Restart Azure VM
          • Azure Monitor
          • Open AI
    • Private Registry
      • Publishing Private Modules
      • Using Private Modules
    • Policy Enforcement (OPA)
    • Cost Estimation
    • Drift Detection
    • CI/CD Integration
      • Github Actions
      • Bitbucket
    • Terrakube CLI
      • Getting started
      • Installation
      • Commands
        • terrakube login
        • terrakube logout
        • terrakube organization
          • organization list
          • organization create
          • organization update
          • organization delete
        • terrakube team
          • team list
          • team create
          • team update
          • team delete
        • terrakube workspace
          • workspace list
          • workspace create
          • workspace update
          • workspace delete
          • workspace variable
            • variable list
        • terrakube variable
          • variable update
          • variable delete
          • variable create
        • terrakube job
          • job list
          • job create
        • terrakube module
          • module list
          • module create
          • module update
          • module delete
    • Reference
      • Executor
        • Terraform Execution Flow
        • Terraform Versions
    • Migrating to Terrakube
  • 🎓Learn
    • What is Terrakube
      • Section Overview
      • Terraform in a Nutshell
      • Terraform Challenges at Enterprise Level
      • Introducing Terrakube
      • Summary and Up Next
    • Deploying using Terrakube
  • 📖API
    • 🌟Getting started
    • ⚙️Methods
      • Globalvar
      • Organization
      • Teams
      • Workspace
      • Variables
      • History
      • Jobs
      • Template
      • Schedule
      • Step
      • Module
      • Vcs
      • Provider
      • Personal Access Token
      • Team API Tokens
      • SSH Key
      • Agent
Powered by GitBook
On this page
  • Generate Public and Private Key.
  • Public Endpoints Requirements
  • Terrakube Environment Variables:
  • Token structure

Was this helpful?

Edit on GitHub
Export as PDF
  1. User Guide
  2. Workspaces

Dynamic Provider Credentials

This feature is available from version 2.21.0

Generate Public and Private Key.

To use Dynamic Provider credentials we need to genera a public and private key that will be use to generate a validate the federated tokens, we can use the following commands

openssl genrsa -out private_temp.pem 2048
openssl rsa -in private_temp.pem -outform PEM -pubout -out public.pem

You need to make sure the private key starts with "-----BEGIN PRIVATE KEY-----" if not the following command can be used to transform the private key to the correct format

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private_temp.pem -out private.pem

The public and private key need to be mounted inside the container and the path should be specify in the following environment variables

  • DynamicCredentialPublicKeyPath

  • DynamicCredentialPrivateKeyPath

Public Endpoints Requirements

To use Dynamic Provider credentials the following public endpoints were added. This endpoint needs to be accessible for your different cloud providers.

GET https://TERRAKUBE.MYSUPERDOMAIN.COM/.well-known/openid-configuration
{
  "issuer": "https://TERRAKUBE.MYSUPERDOMAIN.COM",
  "jwks_uri": "https://TERRAKUBE.MYSUPERDOMAIN.COM/.well-known/jwks",
  "response_types_supported": [
    "id_token"
  ],
  "claims_supported": [
    "sub",
    "aud",
    "exp",
    "iat",
    "iss",
    "jti",
    "terrakube_workspace_id",
    "terrakube_organization_id",
    "terrakube_job_id"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "public"
  ]
}
GET https://TERRAKUBE.MYSUPERDOMAIN.COM/.well-known/jwks
{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "n": "ALEzGE4Rn2WhxOhIuXAzq7e-WvRLCJfoqrHMUXtpt6gefNmWGo9trbea84KyeKdvzE9wBwWxnz_U5d_utmLLztVA2FLdDfnndh7pF4Fp7hB-lhaT1hV2EsiFsc9oefCYmkzXmHylfNQOuqNlRA_2Xu5pHovrF79WW01hWSjhGTkpj6pxFG4t7Tl54SWnJ83CvGDAKuoO9c1M1iTKikB3ENMK8WfU-wZJ4oLTAfhSydqZxZuGRhiwPGsEQOpRynyHJ54XWZHmFdsWs_eGRsfs1iTPbiQSBZbaEwz36HF4QdqFzzLGd67sTtZku_YEsUbJW8cbK6nOFEdR0BSTtSV-lPk=",
      "e": "AQAB",
      "kid": "03446895-220d-47e1-9564-4eeaa3691b42",
      "alg": "RS256"
    }
  ]
}

Terrakube Environment Variables:

The following environment variables can be used to customize the dynamic credentials configuration:

  • DynamicCredentialId = This will be the kid in the JWKS endpoint (Default value: 03446895-220d-47e1-9564-4eeaa3691b42)

  • DynamicCredentialTtl= The TTL for the federated token generated internally in Terrakube (Defafult: 30)

  • DynamicCredentialPublicKeyPath= The path to the public key to validate the federated tokens

  • DynamicCredentialPrivateKeyPath=The path to the private key to generate the federated tokens

Token structure

Terrakube will generate a JWT token internally, this token will be used to authenticate to your cloud provider.

The token structure looks like the following for Azure

JWT HEADER
{
  "kid": "12345",
  "alg": "RS256"
}
JWT BODY
{
  "sub": "organization:TERRAKUBE_ORG_NAME:workspace:TERRAKUBE_WORKSPACE_NAME",
  "aud": "api://AzureADTokenExchange",
  "jti": "12345678",
  "terrakube_workspace_id": "1",
  "terrakube_organization_id": "2",
  "terrakube_job_id": "3",
  "iat": 1713397293,
  "iss": "https://terrakube-api.example.com",
  "exp": 1713397353
}
SIGNATURE

The token structure looks like the following for GCP

JWT HEADER
{
  "kid": "03446895-220d-47e1-9564-4eeaa3691b42",
  "alg": "RS256"
}
JWT BODY
{
  "sub": "organization:TERRAKUBE_ORG_NAME:workspace:TERRAKUBE_WORKSPACE_NAME",
  "aud": "https://iam.googleapis.com/projects/xxxxx/locations/global/workloadIdentityPools/xxxxx/providers/xxxxx",
  "jti": "d4432299-5dad-4b1e-9756-544639e84cec",
  "terrakube_workspace_id": "d9b58bd3-f3fc-4056-a026-1163297e80a8",
  "terrakube_organization_id": "8abe206b-29a8-4ed8-8a3b-30237e295659",
  "terrakube_job_id": "1",
  "iat": 1713915600,
  "iss": "https://terrakube-api.example.com",
  "exp": 1713917400
}
SIGNATURE

The token structure looks like the following for AWS

JWT HEADER
{
  "kid": "03446895-220d-47e1-9564-4eeaa3691b42",
  "alg": "RS256"
}
JWT BODY
{
  "sub": "organization:TERRAKUBE_ORG_NAME:workspace:TERRAKUBE_WORKSPACE_NAME",
  "aud": "aws.workload.identity",
  "jti": "d4432299-5dad-4b1e-9756-544639e84cec",
  "terrakube_workspace_id": "d9b58bd3-f3fc-4056-a026-1163297e80a8",
  "terrakube_organization_id": "8abe206b-29a8-4ed8-8a3b-30237e295659",
  "terrakube_job_id": "1",
  "iat": 1713915600,
  "iss": "https://terrakube-api.example.com",
  "exp": 1713917400
}
SIGNATURE
PreviousVariablesNextAWS Dynamic Provider Credentials

Last updated 11 months ago

Was this helpful?

📓