Skip to content
logo dotsecenv
Blog

Terraform & OpenTofu Credentials Helper

Use dotsecenv as a credentials helper for Terraform and OpenTofu. Registry and backend tokens (e.g., Terraform Cloud) are encrypted at rest in your vault — no plaintext credentials blocks in your CLI config.

How It Works

Section titled “How It Works”

Terraform and OpenTofu call the credentials helper with three verbs:

VerbActiondotsecenv behavior
get <host>Retrieve credentials for a registryReturns stored JSON from vault, or {} if none
store <host>Save credentials (JSON on stdin)Validates and stores the full JSON object in vault
forget <host>Remove credentials for a registryMarks the secret as deleted in vault

Terraform passes the registry hostname (e.g., app.terraform.io) as the key. The helper stores it as a dotsecenv secret under that hostname. The full JSON credentials object is stored as-is, preserving all properties.

Prerequisites

Section titled “Prerequisites”
  • dotsecenv installed and configured with at least one vault (see Getting Started)
  • Terraform >= 0.13 or OpenTofu >= 1.6

Installation

Section titled “Installation”

Credentials helpers must be placed in one of Terraform’s default plugin search locations. The most portable location across all platforms is ~/.terraform.d/plugins/.

The terraform-credentials-dotsecenv helper is included in the deb, rpm, and Arch packages and installed to /usr/share/terraform/plugins/.

Verify it’s available:

Terminal window
ls /usr/share/terraform/plugins/terraform-credentials-dotsecenv

Configuration

Section titled “Configuration”

  1. Verify the helper is installed

    Check that the binary exists in a plugin directory and is executable:

    Terminal window
    ls -l ~/.terraform.d/plugins/terraform-credentials-dotsecenv

    Quick smoke test:

    Terminal window
    ~/.terraform.d/plugins/terraform-credentials-dotsecenv get app.terraform.io
    # Should print: {}

  2. Add to CLI config

    Add to ~/.terraformrc:

    credentials_helper "dotsecenv" {
      args = []
    }

Usage

Section titled “Usage”

terraform login

Section titled “terraform login”

Log in to a registry (e.g., Terraform Cloud):

Terminal window
terraform login

Terraform generates an API token and calls store to save it through dotsecenv. The token is encrypted and stored in your vault under the registry hostname (e.g., app.terraform.io).

terraform logout

Section titled “terraform logout”
Terminal window
terraform logout

Terraform calls forget to mark the credentials as deleted in your vault.

Manual operations

Section titled “Manual operations”

You can also call the helper directly. Terraform normally does this automatically, but manual calls are useful for debugging or scripting:

Terminal window
# Store
echo '{"token":"my-api-token"}' | terraform-credentials-dotsecenv store app.terraform.io


# Retrieve
terraform-credentials-dotsecenv get app.terraform.io


# Remove
terraform-credentials-dotsecenv forget app.terraform.io

Verifying the setup

Section titled “Verifying the setup”

After terraform login, confirm the token is stored in your vault:

Terminal window
dotsecenv secret get app.terraform.io --json
{
  "added_at": "2026-01-15T10:30:00Z",
  "value": { "token": "my-api-token" },
  "vault": "~/.secenv.vault"
}

Troubleshooting

Section titled “Troubleshooting”
ProblemCauseSolution
terraform login fails with “credentials helper not found”Helper not in a plugin directoryCheck it exists in ~/.terraform.d/plugins/ and is executable
store fails with “not valid JSON”Malformed inputCheck the JSON is well-formed with echo '...' | python3 -m json.tool
store fails with “must contain a ‘token’ property”Missing token keyTerraform always sends a token property — check for manual input errors
get returns {} for a stored secretSecret key case mismatchdotsecenv normalizes keys to UPPERCASE; check with dotsecenv secret get
GPG passphrase prompt during terraform initGPG agent not cachingConfigure gpg-agent with a longer cache TTL in ~/.gnupg/gpg-agent.conf

Next Steps

Section titled “Next Steps”