HashiCorp announced general availability of AWS temporary permission delegation for HCP Terraform this week. This feature integrates AWS’s just-in-time access model with HCP Terraform’s dynamic provider credentials, addressing a longstanding operational friction: securely authenticating Terraform to AWS without permanent credentials.
For organizations managing AWS infrastructure at scale, this represents a meaningful simplification of the security posture while maintaining strict governance controls.
The Problem: AWS Credential Management at Scale
Authenticating Terraform to AWS has historically required one of several approaches, each with trade-offs.
Static IAM user credentials are simple but create long-lived secrets that must be rotated and secured. Instance profiles and IAM roles work for self-hosted runners but do not help with SaaS platforms. OIDC federation is more secure but requires complex configuration and ongoing management. Assume-role chains are powerful but difficult to troubleshoot and audit.
HCP Terraform’s dynamic provider credentials announced at re:Invent 2025 generate temporary credentials for each Terraform run. But setting up the underlying IAM roles and trust relationships still required multiple AWS configuration steps.
The Solution: AWS Temporary Permission Delegation
AWS introduced IAM temporary permission delegation at re:Invent 2025. It allows customers to grant trusted partners short-lived, customer-approved access to AWS services for specific, time-bound tasks.
Think of it as giving a cleaning service temporary access to your house: they get a key that works for exactly the rooms you specify, only during the hours you approve, and you can revoke it instantly if needed.
When HCP Terraform needs AWS access: you authorize delegation of specific IAM permissions to HashiCorp. HCP Terraform requests temporary credentials through the delegation model. AWS generates ephemeral credentials scoped to your approved permissions. Terraform executes with these time-bound credentials which automatically expire after the run completes.
Integration with Dynamic Provider Credentials
HCP Terraform’s dynamic provider credentials feature generates temporary credentials on-demand for each workload. Combined with AWS delegation, this provides automatic IAM role setup, minimal configuration requirements, and governance preservation with customer-controlled revocation.
Security Benefits
The security model has several advantages over traditional approaches. No standing access—HashiCorp only has access when you have explicitly delegated it. Time-bound by default with configurable expiration windows. Customer-controlled revocation through AWS IAM at any time. Full audit trail in AWS CloudTrail with clear attribution. Least privilege with only specific permissions delegated.
Operational Considerations
Be deliberate about which permissions you delegate—overly broad delegation undermines security benefits. Start with read-only permissions and expand as needed. For multiple AWS accounts, configure delegation in each account. The IAM resources created through delegation are managed by HCP Terraform.
Looking Ahead
AWS temporary permission delegation in HCP Terraform represents a meaningful simplification of cloud authentication at scale. If you are currently using static AWS credentials with HCP Terraform, this GA release is worth evaluating. The feature is available now in all HCP Terraform tiers at no additional cost beyond standard AWS usage.
Sources
- HashiCorp Blog: AWS Permission Delegation GA
- AWS IAM Temporary Delegation Documentation
- HCP Terraform Dynamic Provider Credentials
- re:Invent 2025 HashiCorp Announcement
Looking ahead, HashiCorp and AWS continue to co-innovate on access models that simplify cloud onboarding while maintaining strong security. Organizations can expect additional cloud providers to integrate similar delegation capabilities, creating a more standardized approach to cross-platform infrastructure automation.
The Bottom Line
AWS temporary permission delegation in HCP Terraform represents a meaningful simplification of cloud authentication at scale. If you are currently using static AWS credentials with HCP Terraform, this GA release is worth evaluating. The migration path is straightforward during setup, and security benefits are immediate.
The feature is available now in all HCP Terraform tiers at no additional cost beyond standard AWS usage.