Provider credentials supplied via environment variables are read directly by the provider plugin at runtime. These credentials are not part of the Terraform configuration arguments that are evaluated and tracked by Terraform core. As a result, Terraform does not record these credentials in the state file. This method is a recommended best practice for handling sensitive data, as it decouples authentication secrets from both the version-controlled configuration and the state file, enhancing security.

B. Specifying the login credentials in the provider block: This method hardcodes secrets directly into the configuration. These values are then stored in plain text within the Terraform state file, which is a significant security risk.

C. Setting credentials as Terraform variables: Even when a variable is marked as sensitive, Terraform still records its actual value in the state file. The sensitive flag only redacts the value from CLI output.

D. None of the above: This is incorrect because using environment variables (Option A) is a valid and recommended method that prevents provider credentials from being stored in the state file.

---

1. HashiCorp Terraform Documentation

"Sensitive Input Variables": This document explicitly states

"Terraform will still record the value in the state file

and so anyone who can access the state data will have access to the sensitive values in cleartext." This directly refutes the effectiveness of option C for preventing storage in the state file. (Source: HashiCorp

Terraform Documentation

docs/language/values/variables.md

Section: "Sensitive Input Variables").

2. HashiCorp Terraform Documentation

"Provider Configuration": This page recommends against hardcoding credentials (Option B) and suggests environment variables as a preferred alternative. It states

"Hard-coding credentials into any Terraform configuration is not recommended... we recommend using environment variables where possible for the provider's credentials." This separation is key to why the credentials don't end up in the state. (Source: HashiCorp

Terraform Documentation

docs/language/providers/configuration.md

Section: "Provider Configuration").

3. HashiCorp Terraform Documentation

AWS Provider

"Authentication and Configuration": The documentation for specific providers

such as AWS

details the credential lookup order. Environment variables are a standard method where the provider's underlying SDK (e.g.

AWS SDK) reads the credentials from the environment. This process happens within the provider

outside of the configuration values that Terraform itself persists to the state file. (Source: HashiCorp

Terraform Registry

providers/hashicorp/aws/latest/docs

Section: "Authentication and Configuration").