Securing Terraform Secrets with Vault v1 Secret Store Using LDAP authentication

Sometimes you have a vault server where the only authentication option is an LDAP user name and password. Here we demonstrate how you can use your LDAP authentication to pull vault secrets into terraform. Note: The following code fetches a v1 secret from vault.

Vault provider used with LDAP Username and Password in terraform to get v1 secret

terraform {
  required_providers {
    vault = {
      version = ">= 3.15.0"

# Vault provider to use with username and password
provider "vault" {
address = "https://vault.localhost" 
skip_child_token = true 
auth_login {
  path = "auth/ldap/login/${var.VAULT_USER }"
  parameters = { password: var.VAULT_PASSWORD } 

data "vault_generic_secret" "secret" {
path = "kv-v1/full/path/to/secret/store"

# Use in code via["some_key"]

variable "VAULT_PASSWORD" {
   type = string
   description = "Environment variable for vault ldap password that will be used as TF_VAR_VAULT_PASSWORD" 
variable "VAULT_USER" { 
  type = string
  description = "Environment variable for vault ldap user that will be used as TF_VAR_VAULT_USER"  

export TF_VAR_VAULT_USER=username
export TF_VAR_VAULT_PASSWORD=somepassword
export VAULT_SKIP_VERIFY=1 # If vault ssl cert is sefl-signed

Leave a Reply