The Centrify provider is used to interact with the resources in Centrify Vault. It also allows other Terraform providers to retrieve vaulted password or secret from Centrify Vault.
Use the navigation to the left to read about the available resources.
Use special terraform
configuration block type to configure some behaviors of Terraform itself, such as provider source and minimum version.
terraform {
required_providers {
centrifyvault = {
source = "marcozj/centrifyvault"
}
}
}
The provider needs to be configured with the proper credentials before it can be used.
# Configure CentrifyVault Provider to use OAuth client id and credential authentication
provider "centrifyvault" {
url = "https://<tenantid>.my.centrify.net"
appid = "<YOUR APPLICATION ID>"
scope = "<YOUR OAUTH2 SCOPE>"
username = "<YOUR OAUTH2 CLIENT ID>"
password = "<YOUR OAUTH2 CLIENT CREDENTIAL>"
}
# Configure CentrifyVault Provider to use OAuth2 token authentication
provider "centrifyvault" {
url = "https://<tenantid>.my.centrify.net"
appid = "<YOUR APPLICATION ID>"
scope = "<YOUR OAUTH2 SCOPE>"
token = "<YOUR OAUTH2 TOKEN>"
}
# Configure CentrifyVault Provider to use DMC authentication
# The host on which terraform is run must have Centrify Client installed and enrolled into Centrify Vault
provider "centrifyvault" {
url = "https://<tenantid>.my.centrify.net"
scope = "<YOUR DMC SCOPE>"
use_dmc = true
}
The Provider supports OAuth2 and DMC authentication methods.
url
- (Required) This is the cloud tenant or on-prem PAS URL, for examplehttps://abc1234.my.centrify.net
. It must be provided, but it can also be sourced from theVAULT_URL
environment variable.appid
- (Optional) This is the OAuth application ID configured in Centrify Vault. It must be provided ifuse_dmc
isn't set to true. It can also be sourced from theVAULT_APPID
environment variable.scope
- (Required) This is either the OAuth or DMC scope. It must be provided, but it can also be sourced from theVAULT_SCOPE
environment variable.token
- (Optional) This is the Oauth token. It can also be sourced from theVAULT_TOKEN
environment variable.username
- (Optional) Authorized user to retrieve Oauth token. It can also be sourced from theVAULT_USERNAME
environment variable. Iftoken
is provided, this argument is ignored.password
- (Optional) Authorized user's password for retrieving Oauth token. It can also be sourced from theVAULT_PASSWORD
environment variable. Iftoken
is provided, this argument is ignored.use_dmc
- (Optional) Whether to use DMC authentication. It can also be sourced from theVAULT_USEDMC
environment variable. The default isfalse
. If this is set totrue
,appid
,token
,username
andpassword
arguments are ingored.skip_cert_verify
- (Optional) Whether to skip certificate validation. It is used for testing against on-prem PAS deployment which uses self-signed certificate. It can also be sourced from theVAULT_SKIPCERTVERIFY
environment variable. The default isfalse
.log_level
- (Optional) Log level. Can be set tofatal
,error
,info
, ordebug
. It can also be sourced fromVAULT_LOGLEVEL
environment variable. Default iserror
.logpath
- (Optional) If specified, logging information is written to the file. It can also be sourced fromVAULT_LOGPATH
environment variable.