{"id":49074166,"url":"https://github.com/tonedefdev/terracreds","last_synced_at":"2026-04-20T09:05:44.233Z","repository":{"id":37017982,"uuid":"303621302","full_name":"tonedefdev/terracreds","owner":"tonedefdev","description":"A Terraform Automation and Collaboration Software credentials helper","archived":false,"fork":false,"pushed_at":"2024-12-12T00:23:26.000Z","size":3058,"stargazers_count":64,"open_issues_count":1,"forks_count":6,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-22T02:01:36.242Z","etag":null,"topics":["credential-manager","credential-storage","credentials-helper","devops","devops-tools","security-tools","terraform"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tonedefdev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-13T07:22:38.000Z","updated_at":"2025-03-21T17:49:50.000Z","dependencies_parsed_at":"2025-03-22T02:01:23.944Z","dependency_job_id":null,"html_url":"https://github.com/tonedefdev/terracreds","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/tonedefdev/terracreds","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonedefdev%2Fterracreds","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonedefdev%2Fterracreds/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonedefdev%2Fterracreds/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonedefdev%2Fterracreds/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tonedefdev","download_url":"https://codeload.github.com/tonedefdev/terracreds/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tonedefdev%2Fterracreds/sbom","scorecard":{"id":893467,"data":{"date":"2025-08-11","repo":{"name":"github.com/tonedefdev/terracreds","commit":"511eeb9a40f1643940bb2d05270a3480804303f1"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.1,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/2 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/macos-build.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/ubuntu-build.yml:1","Warn: no topLevel permission defined: .github/workflows/windows-build.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/macos-build.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/tonedefdev/terracreds/macos-build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/macos-build.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/tonedefdev/terracreds/macos-build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/tonedefdev/terracreds/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/tonedefdev/terracreds/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/tonedefdev/terracreds/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu-build.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/tonedefdev/terracreds/ubuntu-build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu-build.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/tonedefdev/terracreds/ubuntu-build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/windows-build.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/tonedefdev/terracreds/windows-build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/windows-build.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/tonedefdev/terracreds/windows-build.yml/main?enable=pin","Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:9"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v2.1.6 not signed: https://api.github.com/repos/tonedefdev/terracreds/releases/172285997","Warn: release artifact v2.1.5 not signed: https://api.github.com/repos/tonedefdev/terracreds/releases/124724335","Warn: release artifact v2.1.4 not signed: https://api.github.com/repos/tonedefdev/terracreds/releases/93530557","Warn: release artifact v2.1.3 not signed: https://api.github.com/repos/tonedefdev/terracreds/releases/91643960","Warn: release artifact v2.1.2 not signed: https://api.github.com/repos/tonedefdev/terracreds/releases/78910058","Warn: release artifact v2.1.6 does not have provenance: https://api.github.com/repos/tonedefdev/terracreds/releases/172285997","Warn: release artifact v2.1.5 does not have provenance: https://api.github.com/repos/tonedefdev/terracreds/releases/124724335","Warn: release artifact v2.1.4 does not have provenance: https://api.github.com/repos/tonedefdev/terracreds/releases/93530557","Warn: release artifact v2.1.3 does not have provenance: https://api.github.com/repos/tonedefdev/terracreds/releases/91643960","Warn: release artifact v2.1.2 does not have provenance: https://api.github.com/repos/tonedefdev/terracreds/releases/78910058"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":2,"reason":"8 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3553 / GHSA-mh63-6h87-95cp","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9","Warn: Project is vulnerable to: GO-2024-2631 / GHSA-c5q2-7r4c-mv6g"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-24T12:47:02.276Z","repository_id":37017982,"created_at":"2025-08-24T12:47:02.276Z","updated_at":"2025-08-24T12:47:02.276Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32040364,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-20T00:18:06.643Z","status":"online","status_checked_at":"2026-04-20T02:00:06.527Z","response_time":94,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["credential-manager","credential-storage","credentials-helper","devops","devops-tools","security-tools","terraform"],"created_at":"2026-04-20T09:05:40.880Z","updated_at":"2026-04-20T09:05:44.211Z","avatar_url":"https://github.com/tonedefdev.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![macOS Build](https://github.com/tonedefdev/terracreds/actions/workflows/macos-build.yml/badge.svg?branch=main)](https://github.com/tonedefdev/terracreds/actions/workflows/macos-build.yml) [![Ubuntu Build](https://github.com/tonedefdev/terracreds/actions/workflows/ubuntu-build.yml/badge.svg?branch=main)](https://github.com/tonedefdev/terracreds/actions/workflows/ubuntu-build.yml) [![Windows Build](https://github.com/tonedefdev/terracreds/actions/workflows/windows-build.yml/badge.svg?branch=main)](https://github.com/tonedefdev/terracreds/actions/workflows/window-build.yml)\n\n\u003cimg src=\"./img/terracreds.png\" align=\"right\" width=\"350\" height=\"350\"\u003e\n\n# Terracreds\nA credential helper for Terraform Automation and Collaboration Software used to store API tokens, or any other secrets, securely in the operating system's credential vault, or through a third party vault provider. With `terracreds` you no longer need to keep secrets in a plain text configuration file!\n\nStoring secrets in plain text can pose major security threats even when proper file permissions are in place. Terraform also doesn't come pre-packaged with a credential helper, so we decided to create one and to share it with the greater Terraform/DevOps community to make it easier to implement stronger security practices.\n\n#### Currently supported Operating Systems:\n- [x] Windows (Credential Manager)\n- [x] MacOS (Keychain)\n- [x] Linux (gnome-keyring) *Tested on Ubuntu 20.04*\n\n#### Currently supported Vault providers:\n- [x] AWS Secrets Manager\n- [x] Azure Key Vault\n- [x] Google Secret Manager \n- [x] HashiCorp Vault\n\n#### Currently Supported Terraform Automation and Collaboration Software:\n- [x] env0\n- [x] Scalr\n- [x] Spacelift\n- [x] Terraform Cloud\n- [x] Terraform Enterprise\n\n## Quick Links\n- Install \u0026 Configure\n  - [Windows](https://github.com/tonedefdev/terracreds#windows-install-via-chocolatey)\n  - [macOS](https://github.com/tonedefdev/terracreds#macos-install)\n  - [Linux](https://github.com/tonedefdev/terracreds#linux-install)\n  - [From Source](https://github.com/tonedefdev/terracreds#install-from-source)\n  - [Upgrading](https://github.com/tonedefdev/terracreds#upgrading)\n  - [Initial Configuration](https://github.com/tonedefdev/terracreds#initial-configuration)\n- Usage\n  - [Storing](https://github.com/tonedefdev/terracreds#storing-credentials)\n  - [Verifying](https://github.com/tonedefdev/terracreds#storing-credentials)\n  - [Updating](https://github.com/tonedefdev/terracreds#updating-credentials)\n  - [Forgetting](https://github.com/tonedefdev/terracreds#forgetting-credentials)\n  - [Listing](https://github.com/tonedefdev/terracreds#list-credentials)\n- Vault Providers\n  - [General Setup](https://github.com/tonedefdev/terracreds#setting-up-a-vault-provider)\n  - [AWS Secrets Manager](https://github.com/tonedefdev/terracreds#aws-secrets-manager)\n  - [Azure Key Vault](https://github.com/tonedefdev/terracreds#azure-key-vault)\n  - [Google Secret Manager](https://github.com/tonedefdev/terracreds#google-secret-manager)\n  - [HashiCorp Vault](https://github.com/tonedefdev/terracreds#hashicorp-vault)\n- Miscellaneous\n  - [Protection](https://github.com/tonedefdev/terracreds#protection)\n  - [Logging](https://github.com/tonedefdev/terracreds#logging)\n- Troubleshooting\n  - [Known Issues](https://github.com/tonedefdev/terracreds#known-issues)\n  - [Linux](https://github.com/tonedefdev/terracreds#linux)\n\n## Windows Install via Chocolatey\nThe fastest way to install `terracreds` on Windows is via our Chocolatey package:\n```powershell\nchoco install terracreds -y\n```\n\nOnce installed run the following command to verify `terracreds` was installed properly:\n```powershell\nterracreds -v\n```\n\nTo upgrade `terracreds` to the latest version with Chocolatey run the the following command:\n```powershell\nchoco upgrade terracreds -y\n```\n\n## macOS Install\nOur `homebrew` formula is the easiest way to install `terracreds` on macOS. You can install using the following command:\n```sh\nbrew install tonedefdev/terracreds/terracreds\n```\n\n## Linux Install\nYou'll need to download the latest binary from our release page and place it anywhere on `$PATH` of your system. You can also copy and run the following commands:\n\n```bash\nVERSION=\"\u003cREPLACE_WITH_DESIRED_VERSION_FROM_GITHUB_RELEASES\u003e\" \\\nwget https://github.com/tonedefdev/terracreds/releases/download/v${VERSION}/terracreds_${VERSION}_linux_amd64.tar.gz \u0026\u0026 \\\ntar -xvf terracreds_${VERSION}_linux_amd64.tar.gz \u0026\u0026 \\\nsudo mv -f terracreds /usr/bin/terracreds \u0026\u0026 \\\nrm -f terracreds_${VERSION}_linux_amd64.tar.gz README.md\n```\n\nYou can also use `homebrew` to install on `Ubuntu` machines where `brew` is available:\n```bash\nbrew install tonedefdev/terracreds/terracreds\n```\n\nThe `terracreds` Linux implementation uses `gnome-keyring` in conjunction with `gnome-keyring-daemon` \nto utilize the credential storage engine.\n\nIn order to leverage `terracreds` to have access to the default `Login` collection you'll need to unlock \nthe collection with `gnome-keyring-daemon` using an empty password:\n\n```bash\necho \"\" | gnome-keyring-daemon --unlock\n```\n\u003e You do have the option of setting a password by passing it in with `echo` but every call to `terracreds get` will require the \nunlock password.\n\nThe command, if successful, should return the following:\n```txt\nSSH_AUTH_SOCK=/run/user/1000/keyring/ssh\n```\n\nYou can verify that it's running properly with:\n```bash\nps -ef | grep 'gnome-keyring-daemon'\n``` \n\n## Install From Source\nDownload the source files by entering the following command:\n```go\ngo get github.com/tonedefev/terracreds \n```\n\nEnsure you have the environment variable `GO111MODULE` enabled since this project leverages `go.mod`\n\nFor Windows:\n```powershell\n$env:GO111MODULE='on'\n```\n\nFor macOS and Linux:\n```bash\nexport GO111MODULE='on'\n```\n\nOnce the files have been downloaded navigate to the `terracreds` directory in the and then run:\n```go\ngo install -v\n```\n\nNavigate to the root of the project directory and you should see the `terracreds.exe` binary for Windows or `terracreds` for macOS and Linux. On Windows, copy the `.exe` to any directory of your choosing. Be sure to add the directory on `$env:PATH` for Windows to make using the application easier. On macOS and Linux we recommend you place the binary in `/usr/bin` as this directory should already be on the `$PATH` environment variable.\n\n## Upgrading\nIf you're upgrading to the latest version of `terracreds` from a previous version use one of the methods above to either install the latest binary or use the package manager for your specific operating system. Once successfully installed on your system you just need to run `terracreds generate` to copy the latest version to the correct `plugins` directory for your operating system.\n\n## Initial Configuration\nIn order for `terracreds` to act as your credential provider you'll need to generate the binary and the plugin directory in the default location that Terraform looks for plugins. Specifically, for credential helpers, and for Windows, the directory is `%APPDATA%\\terraform.d\\plugins` and for macOS and Linux `$HOME/.terraform.d/.terraformrc`.\n\nTo make things as simple as possible we created a helper command to generate everything needed to use the app. All you need to do is run the following command in `terracreds` to generate the plugin directory, and the correctly formatted binary that Terraform will use:\n```bash\nterracreds generate\n```\n\nThis command will generate the binary as `terraform-credentials-terracreds.exe` for Windows or `terraform-credentials-terracreds` for macOS and Linux which is the valid naming convention for Terraform to recognize this plugin as a credential helper.\n\nIn addition to the binary and plugin a `terraform.rc` file is required for Windows or `.terraformrc` for macOS and Linux with a `credentials_helper` block which instructs Terraform to use the specified credential helper. If you don't already have a `terraform.rc` or a `.terraformrc` file you can pass in `--create-cli-config` to create the file with the credentials helper block already generated for use with the `terracreds` binary for your OS.\n\nHowever, if you already have a `terraform.rc` or `.terraformrc` file you will need to add the following block to your file instead:\n\n```hcl\ncredentials_helper \"terracreds\" {\n  args = []\n}\n```\n\nOnce you have moved all of your tokens from this file to your preferred vault provider via `terracreds` you can remove the tokens from the file. If you don't remove them, but you add the `credentials_helper` block to this file, Terraform will still use the token from this file instead of from the vault configured with `terracreds`.\n\n## Storing Credentials\nFor Terraform to properly use the credentials stored in your credential manager they need to be stored a specific way. The name of the credential object must be the domain name of the Terraform Cloud or Enterprise server. For instance `app.terraform.io` which is the default name `terraform login` will leverage.\n\nThe value for the password will correspond to the API token associated for that specific Terraform Cloud or Enterprise server.\n\nThe entire process is kicked off directly from the Terraform CLI. Run `terraform login` to start the login process with Terraform Cloud. If you're using Terraform Enterprise you'll need to pass the hostname of the server as an additional argument `terraform login my.tfe.com`.\n\nYou'll be sent to your Terraform Cloud or Enterprise Software instance where you'll be requested to sign-in with your account, and then sent to create an API token. Create the API token with any name you'd like for this example we'll use `terracreds`.\n\nOnce completed, copy the generated token, paste it into your terminal, and then hit enter. Terraform will then leverage `terracreds` to store the credentials in the operating system's credential manager. If all went well you should receive the following success message:\n\n```bash\nSuccess! Terraform has obtained and saved an API token.\n```\n\nIn the background `terraform` calls `terracreds` as its credential helper, `terraform` passes in a JSON token credential object, and then `terracreds` decodes that object from STDIN for storage in the operating system's credential manager. The following command is what is called by `terraform` during this process:\n\n```bash\nterraform-credentials-terracreds store app.terraform.io\n```\n\nIf you prefer, you can also create credentials manually by running:\n```bash\nterracreds create -n app.terraform.io -v \u003cTACOS_API_TOKEN\u003e\n```\n\n## Verifying Credentials\nWhen Terraform leverages `terracreds` as the credential provider it will run the following command to get the credentials value:\n```bash\nterraform-credentials-terracreds get app.terraform.io\n```\n\nAlternatively, you can run the same command using either binary to return the credentials. The response is formatted as a JSON object as required by Terraform to use the token:\n```powershell\nterracreds get app.terraform.io\n```\n\nExample output:\n```json\n{\"token\":\"reallybigtokenyoudontevenknow\"}\n```\n\n## Updating Credentials\nTo update a credential in your credential manager simply go through the same `terraform login` process and it will generate a new token and save it for you!\n\nIf the token was updated successfully the following message is returned:\n```bash\nSuccess! Terraform has obtained and saved an API token.\n```\n\nYou can also run `terracreds update -n my-secret -v my-secret-value` to update a secret value.\n\nAdditionally, you can check the `terracreds.log` if logging is enabled for more information.\n\n## Forgetting Credentials\nYou can delete the credential object at any time by running:\n```bash\nterraform logout\n```\n\nIn the background `terraform` calls `terracreds` to perform:\n```bash\nterracreds forget app.terraform.io\n```\n\nIf the credential was successfully deleted `terraform` will return:\n```text\nSuccess! Terraform has removed the stored API token for app.terraform.io.\n```\n\nYou can also run `terracreds delete -n app.terraform.io` if you want to manually remove the credential.\n\nAdditionally, you can check the `terracreds.log` if logging is enabled for more information.\n\n## List Credentials\n\u003e New in version `2.1.0`\n\nYou can pass in a comma separated list of secrets to print out the secret values to the screen:\n```bash\nterracreds list -l mysecret,mysecret2\n```\n\nYou can also setup a list of secrets in the configuration file by using:\n ```bash\n terracreds config secrets -l mysecret,mysecret2\n ``` \n\n To print out the secrets from the names stored in the configuration file:\n ```bash\n terracreds list --from-config\n ```\n\nThere's a helper flag `--as-tfvars` which will return the secret values formatted for use with `terraform`. Depending on the shell calling this command will determine how you can readily use these values.\n\nFor instance on Linux/macOS you can simply call `eval` to evaluate the output to then convert the returned values into variables in your current shell.\n\nAlso, by default, `terracreds` will convert any dashes `[-]` in a secret name with underscores `[_]` since this is the typical variable naming style convention in Terraform. However, you can override that behavior by passing in an override flag with any string value you'd prefer to use:\n```bash\nterracreds list --as-tfvars --override-replace-string -\n```\n\nThe above example would maintain the dash `[-]` in the output of the formatted TF_VARS instead of replacing it by the default underscore `[_]`\n\nAdditionally, you can use `--as-json` to return the secret names and values as a JSON string. This is printed to standard output so you can make use of shell pipes and other commands to ingest the data.\n\n## Setting Up a Vault Provider\n\u003e We have example [terraform](https://github.com/tonedefdev/terracreds/tree/main/terraform) code you can reference in order to setup your `AWS` or `Azure` VMs to use `terracreds` for a CI/CD pipeline agent or a development workstation.\n\n\u003e New in version `2.1.0`\n\nAll of the external vault providers now make use of the provider's default credential authentication schemes. Please, refer to the documentation for each provider's default authentication mechanisms for more information on what options are available, and what is required to set up authentication for each method.\n\n### Configure from Terracreds\n\u003e New in version `2.1.0`\n\nYou can create and view the configuration for any vault provider by running `terracreds config` and then using the subcommand for the specific vault provider. The commands to generate the config from `terracreds` will be shown for each provider listed below.\n\n### AWS Secrets Manager\nIn order to leverage `terracreds` to manage secrets in `AWS Secrets Manager` the following block needs to be provided in the configuration file:\n```yaml\naws:\n  description: my_terraform_api_token\n  region: us-west-2\n  secretName: my-secret-name\n```\n\nThis can be generated via `terracreds` by running:\n```bash\nterracreds config aws --description 'my super secret' --region 'us-west-2' --secret-name 'my-secret-name'\n```\n\n| Value | Description | Required |\n| ----- | ----------- | -------- |\n| `description` | A brief description to provide for the secret object viewable in `Secrets Manager` | `yes` |\n| `region` | The `Secrets Manager` instance's region where the secret will be stored | `yes` | \n| `secretName` | A name for the secret. If omitted and using `terraform login` the hostname of the TACOS server will be used for the name instead | `no` |\n\nThe following permissions are required in order for an assumed `AWS IAM Role` to leverage `terracreds` to access and manage `AWS Secrets Manager`:\n```hcl\nAction = [\n  \"secretsmanager:CreateSecret\",\n  \"secretsmanager:DeleteSecret\",\n  \"secretsmanager:GetSecretValue\",\n  \"secretsmanager:PutSecretValue\"\n]\n```\n### Azure Key Vault\nIn order to leverage `terracreds` to manage secrets in `Azure Key Vault` the following block needs to be provided in the configuration file:\n```yaml\nazure:\n  secretName: my-secret-name\n  subscriptionId: 5df41dfe-4310-46e5-800a-c5bc71ac7ac0\n  vaultUri: https://mykeyvault.vault.azure.net\n```\n\nThe configuration can be generated via `terracreds` by running:\n```bash\nterracreds config azure --subscription-id '5df41dfe-4310-46e5-800a-c5bc71ac7ac0' --vault-uri 'https://mykeyvault.vault.azure.net' --secret-name 'my-secret-name'\n```\n\n| Value | Description | Required |\n| ----- | ----------- | -------- |\n| `secretName` | A name for the secret. If omitted and using `terraform login` the hostname of the TACOS server will be used for the name instead | `no` |\n| `subscriptionId` | The Azure subscription ID where the `Azure Key Vault` has been created | `yes` | \n| `vaultUri` | The URI for the `Azure Key Vault` where you want to store or retrieve your credentials | `yes` |\n\nThe following `Azure Key Vault Access Policies` are required to be given to the `Managed Service Identity` for it to leverage `terracreds`:\n```hcl\nsecret_permissions = [\n  \"Get\",\n  \"List\",\n  \"Set\",\n  \"Delete\"\n]\n```\n\u003e Since `Azure Key Vault` doesn't support the period character in a secret name a helper function will replace any periods with dashes so they can be successfully stored. This means a `terraform` API token name that would usually be `app.terraform.io` will become `app-terraform-io`\n\n### Google Secret Manager\n\u003e New in version `2.1.0`\n\nIn order to leverage `terracreds` to manage secrets in `Google Secret Manager` the following block needs to be provided in the configuration file:\n```yaml\ngcp:\n  projectId: my-gcp-project\n  secretId: my-secret-name\n```\n\nThe configuration can be generated via `terracreds` by running:\n```bash\nterracreds config gcp --project-id 'my-gcp-project' --secret-id 'my-secret-name'\n```\n\n| Value | Description | Required |\n| ----- | ----------- | -------- |\n| `projectId` | The name of the `GCP` project ID where the `Secret Manager` API has been enabled | `yes` |\n| `secretId` | The name of the secret ID | `no` |\n\nThe `Google IAM` role `secretmanager.admin` is suggested in order to fully manage the secrets with `terracreds`\n\n### HashiCorp Vault\nIn order to leverage `terracreds` to manage secrets in `HashiCorp Vault` the following block needs to be provided in the configuration file:\n```yaml\nhcvault:\n  environmentTokenName: HASHI_TOKEN\n  keyVaultPath: kv\n  secretName: my-secret-name\n  secretPath: tfe\n  vaultUri: http://localhost:8200\n```\n\nThe configuration can be generated via `terracreds` by running:\n```bash\nterracreds config hashicorp \\ \n  --environment-token-name 'HASHI_TOKEN' \\\n  --key-vault-path 'kv' \\\n  --secret-name 'my-secret-name' \\\n  --secret-path 'tfe' \\\n  --vault-uri 'http://localhost:8200\"\n```\n\n| Value | Description | Required |\n| ----- | ----------- | -------- |\n| `environmentTokenName` | The name of the environment variable that contains the token value to authenticate with `HashiCorp Vault` | `yes` |\n| `keyVaultPath` | The path to the `Key Vault` object within the vault | `yes` |\n| `secretName` | A name for the secret. If omitted and using `terraform login` the hostname of the TACOS server will be used for the name instead | `no` |\n| `secretPath` | The path of the secret within `HashiCorp Vault` | `yes` |\n| `vaultUri` | The URI for the `HashiCorp Vault` instance | `yes` |\n\n## Protection\nIn order to add some protection `terracreds` adds a username to the credential object stored in the local operating system, and checks to ensure that the user requesting access to the secret is the same user as the secret's creator.  \n\nAny attempt to access or modify this secret from `terracreds` outside of the user that created the credential will lead to denial messages. Additionally, if the credential name is not found, the same access denied message will be provided in lieu of a generic not found message to help prevent brute force attempts\n\n## Logging\n\u003e New in version `2.1.0`\n\nBy default `terracreds` will generate a configuration file in the same location where the `terracreds` binary was first run. This can now be overridden by setting an environment variable that sets the path to the desired location of the configuration file:\n\nFor Linux/macOS:\n```bash\nexport TC_CONFIG_PATH=/home/username/\n```\n\nFor Windows:\n```powershell\n$env:TC_CONFIG_PATH=\"C:\\Temp\"\n```\n\nTo persist this change you can set this variables either in `.bashrc` for Linux/macOS or setup a PowerShell profile for Windows.\n\nTo enable logging for Windows setup the `config.yaml` as follows:\n```yaml\nlogging:\n  enabled: true\n  path: C:\\Temp\n```\n\nTo enable logging for macOS and Linux to a directory called `.terracreds` in the user's home profile:\n```yaml\nlogging:\n  enabled: true\n  path: ~/.terracreds\n```\n\nYou can also use `terracreds` to configure logging:\n```bash\nterracreds config logging --path '~/.terracreds' --enabled\n```\n\nThe log is helpful in understanding if an object was found, deleted, updated or added, and will be found at the path defined in the configuration file as `terracreds.log`.\n\nIn addition all error messages returned by the underlying libraries will be logged when logging is enabled and an error is encountered.\n\n## Troubleshooting\n\n### Known Issues\nWhen you enable `terracreds` as a credential helper Terraform will begin using it for all authentication regardless of the destination server. This means that when you try to install/download providers or modules from the public Terraform registry `https://registry.terraform.io/`, or any other public registry, Terraform will try to authenticate against the server using `terracreds`. If there's no credential in the vault found for that server it will error out.\n\nTo work around this issue you'll need to set a dummy value for any public registries. Run this command for each public repo that Terraform will need to access. In this example we're using `registry.terraform.io` so be sure to replace it with the correct server value if the one you require is different:\n```bash\nterracreds create -n registry.terraform.io -v dummy_token\n```\n\n### Linux\nIf you are having trouble viewing, deleting, or saving credentials on Linux systems using `gnome-keyring` you must ensure that you have unlocked the collection using `gnome-keyring-daemon --unlock` otherwise you will see the following error message in the logs:\n\n```txt\nERROR: \u003cTIMESTAMP\u003e - failed to unlock correct collection '/org/freedesktop/secrets/collection/login'\n```\n\nIf the daemon has unlocked the collection but you're still getting prompted for credentials check to make sure that only a single instance of the daemon is running:\n\n```bash\nps -ef | grep gnome-keyring\n```\n\nIf more than one daemon is running, take note of the pid, and use `kill` to terminate the additional daemon. Try your previous command again\nand it should now be working.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftonedefdev%2Fterracreds","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftonedefdev%2Fterracreds","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftonedefdev%2Fterracreds/lists"}