terraform provider loads `~/.tsh` profile creds by default

Question

terraform provider loads `~/.tsh` profile creds by default

Closed this issue 9 months ago · 0 comments

Expected behavior:

I set my provider config to use an identity file generated by tbot:

provider "teleport" {
  # Update addr to point to your Teleport Cloud tenant URL's host:port
  addr               = "gavin-leaf.cloud.gravitational.io:443"
  identity_file_path = "./tbot-user/identity"
}

I expected terraform apply to use this credential for every API interaction.

I do not expect my ~/.tsh profile to have any effect on the the terraform provider unless I've explicitly configured profile_dir or used TF_TELEPORT_PROFILE_DIR env var.

Actual behavior

terraform apply loads credentials from BOTH the identity file and from ~/.tsh if it exists (tsh profile).

Then the api client attempts to connect to the Teleport cluster using both credential sources simultaneously.

As a result, sometimes terraform <cmd> succeeds, and sometimes it would get an access denied error message, depending on which credential source "won" the connection race.

This was both extremely surprising and difficult to debug. I had to enable TF_LOG=DEBUG and search for the string Using profile as the default auth method (after reading our provider's source) to see it happening, as I noticed the intermittent failures only happened when I was logged into tsh.