Manually Generating Workload Identity Tokens
Important: Make sure your agents are running version v1.7.0 or later.
If required for custom auth workflows or to perform auth with providers that are not natively supported by dynamic credentials, you can request that Terraform Cloud inject a workload identity token into the run environment for usage in agent hooks.
Configure Terraform Cloud
Required Environment Variables
You’ll need to set the following environment variable in your Terraform Cloud workspace in order to have Terraform Cloud inject a workload identity token into the run environment. You can set this as a workspace variable, or if you’d like to inject tokens with the same audience value across multiple workspaces, you can use a variable set.
| Variable | Value | Notes |
|---|---|---|
TFC_WORKLOAD_IDENTITY_AUDIENCE | The desired value for the token’s audience. | Must be present and set or Terraform Cloud will not inject a workload identity token into the run environment. |
Configure Agent Hooks
After you've set the TFC_WORKLOAD_IDENTITY_AUDIENCE variable, each plan and apply will have a TFC_WORKLOAD_IDENTITY_TOKEN variable available in the run environment, which contains a workload identity token.
You can use this environment variable in custom agent hooks to enable custom auth workflows or to perform auth with providers which are not natively supported by dynamic credentials.