Do not store secrets in templates. Assume every user has cleartext access to every template.
Coder's provisioner process needs to authenticate with cloud provider APIs to provision workspaces. You can either pass credentials to the provisioner as parameters or execute Coder in an environment that is authenticated with the cloud provider.
We encourage the latter where supported. This approach simplifies the template, keeps cloud provider credentials out of Coder's database (making it a less valuable target for attackers), and is compatible with agent-based authentication schemes (that handle credential rotation and/or ensure the credentials are not written to disk).
Cloud providers for which the Terraform provider supports authenticated environments include
Additional providers may be supported; check the documentation of the Terraform provider for details.
The way these generally work is via the credentials being available to Coder either in some
well-known location on disk (e.g.
~/.aws/credentials for AWS on posix systems), or via
environment variables. It is usually sufficient to authenticate using the CLI or SDK for the
cloud provider before running Coder for this to work, but check the Terraform provider
documentation for details.