Support for TFC Workload Identity Tokens

[davidcorrigan714]

Describe the solution you'd like The provider should support authentication to Artifactory using a TFC Workload Identity Token. Essentially you set some environment variables then TFC makes the token available to the provider during runtime. More details here.

Describe alternatives you've considered Traditionally manually managed tokens are provided to the provider for authentication. These OIDC tokens remove the burden of managing those tokens and mitigate some risks associated with any accidental or malicious leaks of those tokens.

[alexhung]

@davidcorrigan714 Thanks for the suggestion. I've added this to our plan.

[davidcorrigan714]

Oh, one thing I've been pondering and haven't quite poked at yet, is how OIDC is supposed to work across multiple nodes. For example we essentially have a hub and spoke model with a main source node and a bunch of edge nodes, all configured with Terraform. Seems like the OIDC implementation doesn't work on edge nodes at all(?) So anything using OIDC will need to get a token from our main source node in order to then use it against the edge nodes so everything using it now needs 2 urls to operate, some sort of "token provider / authentication url" and then the URL for actually fetching which in our case is a single URL that let's Route53 return the closest edge node based on location.

[davidcorrigan714]

I'm actually going to open an official support ticket on this cause it's a problem with the documented GitHub use case.