Authentication & Secrets

Authentication & Secrets

Do not store secrets in templates. Assume every user has cleartext access to every template.

Coder's provisioner process needs to authenticate with cloud provider APIs to provision workspaces. You can either pass credentials to the provisioner as parameters or execute Coder in an environment that is authenticated with the cloud provider.

We encourage the latter where supported. This approach simplifies the template, keeps cloud provider credentials out of Coder's database (making it a less valuable target for attackers), and is compatible with agent-based authentication schemes (that handle credential rotation and/or ensure the credentials are not written to disk).

Cloud providers for which the Terraform provider supports authenticated environments include

Additional providers may be supported; check the documentation of the Terraform provider for details.

The way these generally work is via the credentials being available to Coder either in some well-known location on disk (e.g. ~/.aws/credentials for AWS on posix systems), or via environment variables. It is usually sufficient to authenticate using the CLI or SDK for the cloud provider before running Coder for this to work, but check the Terraform provider documentation for details.

See an opportunity to improve our docs? Make an edit.