Terraform Cloud

Unfortunately as per this discussion Terraform Cloud does not support OIDC Identity. This is discouraging to see and as a result, I will be moving my Terraform state out of Terraform Cloud shortly and will set up an S3 Bucket/DynamoDB table for the state/lock. I initially set up this blog with Terraform Cloud to try it out and have automated Terraform runs, but now I will be switching to CircleCI (or GitHub Actions) so that I can utilize the awesomeness of OIDC!

Benefits of OIDC over IAM credentials

  • Sounder sleep knowing that my IAM credentials won’t be leaked for someone or some service to use and compromise my AWS infrastructure
  • No need to set up anything custom or any reminders to manually rotate the keys. All authorization is now done via the OIDC Identity Provider and corresponding IAM role – it was a rad feeling deleting the IAM credentials I had stored in CircleCI and still having the pipeline runs work!
  • No way of accidentally forgetting to not store your IAM keys in version/source control (this happens to folks all the time, even though everyone warns about it)
  • OIDC providers are verified by AWS, so there is a super low risk that an OIDC Providers “Thumbprint” would be spoofed for a particular large service (like CircleCI or GitHub Actions). When your IAM credentials are created and are then used for any service, anywhere, AWS doesn’t ever verify who exactly is using them. There is an implicit trust that if a user or service has the IAM credentials, they are authorized to use them. It is a totally different ball game with OIDC!


  • Think of IAM Credentials as your Credit Card vs an OIDC Provider as authorization to use your Credit Card 🙂
  • OIDC Providers are quick and simple to setup in AWS and roll into your new or existing CircleCI pipelines
  • You never need to rotate OIDC providers…you can’t say the same for IAM Credentials!