Are Provider Credentials required in Scalr?¶
Provider credentials are required for Terraform runs to execute, but you decide where credentials are actually stored. Scalr.io provides the ability to store encrypted Provider Credentials and will automatically pass them to runs. Some business requirements, like a Business Associate Agreement (BAA), require that the credentials are not stored with a SaaS vendor and Scalr can accommodate this as well.
Provider Credentials Outside of Scalr¶
For businesses who must store the credentials outside of Scalr, you have the option of using the Self Hosted Agent Pools, which provides flexibility in where the credentials are stored. Agents are placed in the network of your choice and scalr.io will never have connection to the agent, the agent only pulls information from scalr.io and executes Terraform runs accordingly. Because provider credentials just need to be passed to the Terraform runs as shell variables, this gives you flexibility on how the credential is actually supplied:
Using automation to set it as an OS variable on the agent server.
Pulled from a vault at the time of run execution with custom hooks.
Inherited from the instance profile of the server that the agent is hosted on.
Any of these methods ensure that scalr.io never has access to your credentials and it is solely managed within your network.