provider: added workload identity federation auth support #567
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mcoulombe
force-pushed
the
max/identity-federation-support
branch
from
679ec34 to
8bd56ba
Compare
mcoulombe
force-pushed
the
max/identity-federation-support
branch
from
8bd56ba to
f6490e0
Compare
oxtoacart
approved these changes
Oct 16, 2025
Collaborator
oxtoacart
left a comment
oxtoacart
left a comment
There was a problem hiding this comment.
Generally LGTM, just a couple of nits.
| Description: "The API key to use for authenticating requests to the API. Can be set via the TAILSCALE_API_KEY environment variable. Conflicts with 'oauth_client_id' and 'oauth_client_secret'.", | ||
| Sensitive: true, | ||
| }, | ||
| "identity_token": { |
Collaborator
There was a problem hiding this comment.
Do you want to name this and the environment variable something that makes it clear it's for workload identity federation?
Contributor
Author
There was a problem hiding this comment.
I don't have a strong preference, do you mean wif_identity_token? @mpminardi any thoughts on the naming?
Contributor
Author
There was a problem hiding this comment.
Follow-up from a Slack conversation, Sam felt against the wif prefix and we'll support both TAILSCALE_IDENTITY_TOKEN and IDENTITY_TOKEN env vars to be consistent with the OAuth fields.
mcoulombe
force-pushed
the
max/identity-federation-support
branch
3 times, most recently
from
6313cb2 to
c891e9f
Compare
Updates #485 Signed-off-by: mcoulombe <[email protected]>
mcoulombe
force-pushed
the
max/identity-federation-support
branch
from
c891e9f to
2133416
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Allows the Tailscale Terraform provider to dynamically generate an API access token by exchanging an identity token. This way providers do not need to be configured with sensitive information like an authkey or oauth_client_secret.
Configuring a federated identity OAuth client is private at the time of this PR but public access is coming soon™️.
Updates #485
Special notes for your reviewer:
Depends on this PR on the client. I'll update the dependency with the proper stable release before merging.