Update HCP Terraform Secrets Engine docs to clarify API token types, scope limitations, and usage examples #1268
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
resolves #1267 |
Contributor
Vercel Previews Deployed
|
Contributor
Broken Link CheckerNo broken links found! 🎉 |
schavis
requested changes
Nov 14, 2025
| HCP Terraform [Account | ||
| API](/terraform/cloud-docs/api-docs/account) to find the | ||
| desired User ID. | ||
| to determine the appropriate API token for use with the secret engine. |
Contributor
There was a problem hiding this comment.
Suggested change
| to determine the appropriate API token for use with the secret engine. | |
| to determine the appropriate API token for Terraform plugin. |
Comment on lines
+64
to
+66
| Vault issues dynamic Team API tokens by mapping a role to an existing HCP Terraform | ||
| team. Vault manages these tokens’ lifecycle and automatically expires them according | ||
| to the role’s `ttl` and `max_ttl`. |
Contributor
There was a problem hiding this comment.
Suggested change
| Vault issues dynamic Team API tokens by mapping a role to an existing HCP Terraform | |
| team. Vault manages these tokens’ lifecycle and automatically expires them according | |
| to the role’s `ttl` and `max_ttl`. | |
| Vault issues dynamic API tokens by mapping the Terrafrom role to an existing | |
| HCP Terraform team. Vault also manages the API token lifecycle and | |
| automatically expires the token according to the `ttl` and `max_ttl` | |
| settings on the role. |
Style correction: avoid possessives, reserve capitalization for product names
Comment on lines
+68
to
+73
| You will need to know the Team ID in order to generate Team API tokens for that team. You | ||
| can use the HCP Terraform Teams API to find the desired Team ID. To find the Team ID, use the | ||
| [HCP Terraform Teams API](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/teams) | ||
| or navigate to the Teams section in the HCP Terraform UI. Similarly, to find a User ID, use the | ||
| [Account Details API](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/account#show-the-current-user) | ||
| or check your user profile in the UI. |
Contributor
There was a problem hiding this comment.
Suggested change
| You will need to know the Team ID in order to generate Team API tokens for that team. You | |
| can use the HCP Terraform Teams API to find the desired Team ID. To find the Team ID, use the | |
| [HCP Terraform Teams API](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/teams) | |
| or navigate to the Teams section in the HCP Terraform UI. Similarly, to find a User ID, use the | |
| [Account Details API](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/account#show-the-current-user) | |
| or check your user profile in the UI. | |
| You need to know your Terraform team ID or user ID to generate API tokens | |
| for that client: | |
| - To find your team ID, use the | |
| [HCP Terraform Teams API](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/teams) | |
| or navigate to the **Teams** section in the HCP Terraform GUI. | |
| - To find a user ID, use the | |
| [Account Details API](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/account#show-the-current-user) | |
| or check your user profile in the HCP Terraform GUI. |
Style correction: write in active voice, reserve capitalization for product/endpoint names
|
|
||
| Generate a new credential by reading from the `/creds` endpoint with the name | ||
| of the role: | ||
| Generate a new token by reading from the `/creds` endpoint with the role name: |
Contributor
There was a problem hiding this comment.
Suggested change
| Generate a new token by reading from the `/creds` endpoint with the role name: | |
| Generate a new token by calling the `/creds` endpoint with the role name: |
Comment on lines
+112
to
+117
| ~> **IMPORTANT:** When selecting an anchor credential for the Terraform Secrets | ||
| Engine, choose a token whose scope matches your intended use case. For example, a | ||
| user token can only manage that user’s own resources, while a team token can manage | ||
| team-level resources or other teams’ tokens if the appropriate permissions are granted. | ||
| Using a token that is too narrowly scoped may prevent Vault from issuing tokens for your | ||
| intended workflows. |
Contributor
There was a problem hiding this comment.
Suggested change
| ~> **IMPORTANT:** When selecting an anchor credential for the Terraform Secrets | |
| Engine, choose a token whose scope matches your intended use case. For example, a | |
| user token can only manage that user’s own resources, while a team token can manage | |
| team-level resources or other teams’ tokens if the appropriate permissions are granted. | |
| Using a token that is too narrowly scoped may prevent Vault from issuing tokens for your | |
| intended workflows. | |
| When you select an anchor credential for the Terraform plugin, always choose a | |
| token with a scope that matches your intended use case. | |
| User tokens should only have permission to manage the resources owned by that | |
| user. Team tokens should only have permission to manage team-level resources | |
| owned by that team. Only create tokens with cross-team permissions when a more | |
| narrowly-defined scope prevents Vault from issuing appropriate tokens or | |
| interferes with your intended workflows. |
Style correction: write in active voice, provide explicit guidance whenever possible, avoid unnecessary callouts (warnings, tips, etc.)
Comment on lines
+158
to
+167
| Traditionally, Vault secrets engines create dynamic users and credentials for those users. | ||
| At this time, the HCP Terraform API does not support creating dynamic users. Instead, the | ||
| HCP Terraform secrets engine issues dynamic User API tokens by configuring a Vault role to | ||
| manage an existing HCP Terraform user. | ||
|
|
||
| Vault manages the lifecycle of these tokens and automatically expires them based on the | ||
| role’s configured `ttl` and `max_ttl`. Keep in mind that User API tokens are scoped to the | ||
| individual user account — they cannot create or manage tokens for other users. If you need | ||
| Vault to issue tokens that operate across teams or support automation workflows, use a team | ||
| API token instead. |
Contributor
There was a problem hiding this comment.
Suggested change
| Traditionally, Vault secrets engines create dynamic users and credentials for those users. | |
| At this time, the HCP Terraform API does not support creating dynamic users. Instead, the | |
| HCP Terraform secrets engine issues dynamic User API tokens by configuring a Vault role to | |
| manage an existing HCP Terraform user. | |
| Vault manages the lifecycle of these tokens and automatically expires them based on the | |
| role’s configured `ttl` and `max_ttl`. Keep in mind that User API tokens are scoped to the | |
| individual user account — they cannot create or manage tokens for other users. If you need | |
| Vault to issue tokens that operate across teams or support automation workflows, use a team | |
| API token instead. | |
| Traditionally, Vault secrets engines create dynamic users and credentials for those users. | |
| The HCP Terraform API does not support creating dynamic users so the Terraform | |
| plugin issues dynamic User API tokens by configuring Vault roles to manage | |
| existing HCP Terraform users. | |
| Vault manages the lifecycle of user tokens and automatically expires them based | |
| on the `ttl` and `max_ttl` values of the role. Vault scopes User API tokens to | |
| the individual user account. As a result, the associated account cannot create | |
| or manage tokens for other users. Use a team API token if you need Vault to | |
| issue tokens that operate across teams or support automation workflows. |
Style correction: avoid cross-sentence pronouns, avoid em dashes, avoid possessives
| API token instead. | ||
|
|
||
| Below is an example of creating a Vault role to manage manage User API tokens: | ||
| Below is an example of creating a Vault role to manage User API tokens: |
Contributor
There was a problem hiding this comment.
Suggested change
| Below is an example of creating a Vault role to manage User API tokens: | |
| The `terraform/role/{user}` endpoint can create a Vault role to manage User API tokens. For example: |
| taken according to `ttl` and `max_ttl` settings. In addition to that behavior, | ||
| using the `max_ttl` Vault will set an `ExpiredAt` date in HCP Terraform | ||
| which will ensure the token expires at the Max TTL time. This prevents | ||
| which will ensure the token expires at the `max_ttl` time. This prevents |
Contributor
There was a problem hiding this comment.
Suggested change
| which will ensure the token expires at the `max_ttl` time. This prevents | |
| which ensures that the token expires at the `max_ttl` time and prevents |
Style correction: write in active voice, avoid "this" as a pronoun
| collisions, the secret engine generates a random string as a suffix to the description. It is | ||
| highly recommended you set an additional description. | ||
| collisions, the secret engine generates a random string as a suffix to the description. | ||
| It is highly recommended you set an additional description. |
Contributor
There was a problem hiding this comment.
Suggested change
| It is highly recommended you set an additional description. | |
| We highly recommended setting an additional description. |
Style correction: write in active voice
| It is highly recommended you set an additional description. | ||
|
|
||
| Below is an example of creating a Vault role to manage manage Team API tokens: | ||
| Below is an example of creating a Vault role to manage Team API tokens: |
Contributor
There was a problem hiding this comment.
Suggested change
| Below is an example of creating a Vault role to manage Team API tokens: | |
| For example, to set a description when you create a Vault role to manage Team API tokens, use the `description` parameter: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This update revises the HCP Terraform Secrets Engine documentation to:
These changes improve accuracy and help prevent misconfiguration in real-world Vault deployments.