OIDC authentication support

[jorhett]

Terraform Version

1.1.4

Affected Resource(s)

boundary provider

Terraform Configuration Files

N/A

Expected Behavior

Terraform user should be able to authenticate with OIDC

Actual Behavior

It's currently required to add password auth and a static username/password to a Boundary implementation which is 100% OIDC-driven. It would be much better to remove the existence of this static secret.

[jorhett]

Perhaps this is indirectly supported by the token env variable, and just needs to be documented as such?

token (String) The Boundary token to use, as a string or path on disk containing just the string. If set, the token read here will be used in place of authenticating with the auth method specified in "auth_method_id", although the recovery KMS mechanism will still override this. Can also be set with the BOUNDARY_TOKEN environment variable.

[covetocove]

Hi @jorhett, direct OIDC authentication is something we'd like to add to our Terraform Provider but there are a number of workarounds in the meantime:

• Adding a un/pw method, but as you pointed out this limits your environment to not being 100% OIDC driven.
• Passing a valid Boundary token to the provider after OIDC authentication, which you can read more about here. As part of OIDC authentication, a client's OIDC JWT token will be exchanged for a Boundary token which can be passed to the provider via the token field or via the BOUNDARY_TOKEN environment variable. You can access auth tokens via the CLI with boundary auth-tokens read