Keeping Secrets Safe in Terraform with AWS KMS

In this tutorial, we will explore best practices for keeping secrets safe in Terraform with AWS KMS.

Keeping Secrets Safe in Terraform with AWS KMS
Photo by Kaffeebart / Unsplash

Terraform is a powerful infrastructure as code (IaC) tool that allows you to define, provision, and manage your cloud infrastructure. When working with Terraform, it's essential to handle secrets securely to protect sensitive information such as API keys, passwords, and access tokens.

In this tutorial, we will explore best practices for keeping secrets safe in Terraform.

Step 1: Use Environment Variables

One common practice for handling secrets in Terraform is to use environment variables. This approach allows you to keep secrets outside of your Terraform configuration files.

Set environment variables for your secrets

export TF_VAR_aws_access_key="your_access_key"
export TF_VAR_aws_secret_key="your_secret_key"

In your Terraform configuration, reference these environment variables using the var function

provider "aws" {
  access_key = var.TF_VAR_aws_access_key
  secret_key = var.TF_VAR_aws_secret_key
  region     = "us-west-2"

Step 2: Use the HashiCorp Vault

HashiCorp Vault is a tool designed specifically for managing secrets, and it integrates well with Terraform. Here's how to use Vault to store and retrieve secrets:

  1. Install and configure HashiCorp Vault. Follow the official documentation for setup instructions:
  2. Store your secrets in Vault. For example, you can store AWS access and secret keys :
  3. In your Terraform configuration, use the vault data source to fetch secrets :
data "vault_generic_secret" "aws_secrets" {
  path = "secret/my-app"

provider "aws" {
  access_key =["aws-access-key"]
  secret_key =["aws-secret-key"]
  region     = "us-west-2"

Step 3: Encrypt Sensitive Data with KMS

Amazon Web Services (AWS) Key Management Service (KMS) can be used to encrypt sensitive data, such as API keys, stored in Terraform state files. Terraform provides the sensitive argument to prevent values from being displayed in the plan or apply output.

Encrypt your secret data using KMS :

variable "my_secret_key" {
  description = "My sensitive secret key"
  type        = string
  sensitive   = true

Use the sensitive variable in your Terraform configuration:

resource "aws_s3_bucket" "example" {
  bucket = "my-example-bucket"
  acl    = "private"

  tags = {
    Name = "My Example Bucket"

Step 4: Avoid Committing Secrets to Version Control

Ensure that you never commit secrets or sensitive information directly into your version control system (e.g., Git).

Use .gitignore or other exclusion mechanisms to prevent secrets from being accidentally checked in.

Step 5: Leverage Secret Management Tools

Consider using secret management tools like AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager to securely store and manage your secrets. These tools provide integrations and APIs that can be used in combination with Terraform.


In conclusion, securing secrets in Terraform is crucial for maintaining the security of your infrastructure.

By following these best practices, you can protect sensitive information, maintain compliance, and ensure the integrity of your infrastructure deployments. Remember that the specific approach you choose may depend on your infrastructure provider and organizational requirements.