Feature Request: Service Account support

[gabrielrinaldi]

Summary

Is there a plan to add service account support to Terraform?

Use cases

I have a private cluster and connection to 1Password would be a lot easier through a SA instead of having to deploy a Terraform Agent in the cluster

Proposed solution

Add SA support to the Terraform provider

Is there a workaround to accomplish this today?

Today I would have to deploy a Terraform Agent in the cluster and install the 1Password Operator to give access to secrets

References & Prior Work

• GitHub Actions can use SA

[dustin-ruetz]

Hi @gabrielrinaldi - thanks for reaching out with this feature request. I can confirm that using Service Accounts with Terraform is on our radar, but I can't provide any commitments or timelines as of this writing. Thank you again for expressing your interest!

[gabrielrinaldi]

Thanks for getting back to me @dustin-ruetz, I think that would be game changing in replacing Vault (I was using that prior) as it would allow for more security and simplify password management incredibly. Please keep me posted as I am super interested in this.

[gabrielrinaldi]

@dustin-ruetz is this something I could help with? I don't know how to build terraform providers, but I am willing to try as secrets are a little out of control given that I can't use them in Terraform unless I open connect to the internet.

[franklouwers]

@dustin-ruetz Hi, would this still be on the short-term radar? I have a few customers where setting up and hosting a separated Connect wouldn't make a lot of sense, but using an SA would be the perfect solution.

[TakumiHaruta]

This is really good. We're eagerly awaiting this feature!

[ekostjuk]

Hacky ugly workaround:
Improved something that was previously shared on 1p slack by another dev: gist
You'd still want connect for serious stuff.

[xophere]

Yeah this provider is basically pointless without service account support.

[xophere]

Yeah we just opted to use a different tool because the template process isn't gonna cut it.

[gabrielrinaldi]

@xophere what vendor are you using? I am evaluating AWS Secrets and Vault Open Source as options this does not seem ready for production yet.

[xophere]

Yeah just falling back to aws native secrets manager. It simplifies somethings. Also segregates corp secrets from platform ones. But I still don't like multiple storage locations. Looking into the template method via the cli tool. It would work with a tfvars file. But my boss just rejected it on principle. More things to inject into the deployment process and the cli env for manual deployment. I got more code to write now. Really strange they bothered to make this module without this feature. I suppose it just helps minimize tie in to 1password. So dumb. Can't be that many hours of dev time to make this work.

[alecsiemerink]

We are eagerly awaiting this feature as well. If any help is needed with implementation, let us know. Without service account support, this provider is mostly useless unfortunately.

[dustin-ruetz]

Thanks all for your patience on this issue 🙏 While I can’t share specifics on timelines, I can confirm that this feature is on our roadmap and is a high priority. With that being said, we have recently modernized our CONTRIBUTING.md file as a starting point to help guide external contributors who are interesting in adding features.

CC @gabrielrinaldi @franklouwers @alecsiemerink

[tim-oster]

Hey all, just opened a PR that adds basic Service Account support. Works in my setup but might need some improvements.

[gruizonestic]

Are there any news on this matter? It would completely change the way we use 1Password and terraform together to store secrets in a very positive manner.

[dbrennand]

#99 has been merged now so shouldn't be long before a new release is available 🙂

[volodymyrZotov]

This is released in v1.3.0

[dbrennand]

This is released in v1.3.0

Thanks @volodymyrZotov @tim-oster 🚀