Terraform authentication with OIDC or SAML IdP

[brunoagueda]

Hello all!

We want to use Azure AD accounts to run terraform projects, but in the documentation there is not any mention if it is possible to authenticate in the OTC provider over SAML or OIDC. I found the issue #471 stating that it was not supported at that time and the workaround would be issuing a token with Openstack CLI. Issuing a token works to authenticate on Terraform provider, but I would like to know if SAML and/or OIDC is still not supported, and if this feature is something that can be implemented in the future or not.

Thanks in advance for the support

[artem-lifshits]

Hello @brunoagueda please check opentelekomcloud_identity_provider or opentelekomcloud_identity_provider_v3 .

[brunoagueda]

Hello @artem-lifshits My question is about authenticating on OTC terraform provider using an Azure AD account instead of an IAM account, not creating the IdP with terraform. For example:

provider "opentelekomcloud" { user_name = var.user_name # Azure AD account password = var.password # Azure AD account passowrd domain_name = var.domain_name tenant_name = var.tenant_name auth_url = var.url_iam }

[artem-lifshits]

@brunoagueda there's no such feature at the moment. I will discuss with team if something like that is planned in the future.

[brunoagueda]

@artem-lifshits thanks for the feedback.

[brunoagueda]

Hello We managed to use an AAD account to authenticate on terraform provider with AK, SK and security token provider "opentelekomcloud" { auth_url = var.otc_auth_url access_key = var.otc_access_key secret_key = var.otc_secret_key security_token = var.otc_security_token domain_name = var.otc_domain_name tenant_name = "${var.otcregion}${var.otc_project_name}" } The problem is that for a federated user, the AK, SK and token is temporary, so we set up a scheduled job on our pipeline to everyday in the morning to run this job, generate a new set of credentials (valid for 24 hours) and update the gitlab variables with the new values, all that using openstack, OTC and GitLab APIs. It is a bit complicated process but it works. It would be better to use user and password, but I'm closing this topic since we have everything working.