TL;DR: OpenTofu has no built-in secrets management, so credentials often leak across plan, apply, and state workflows unless teams use external controls, according to Infisical’s integration guide. Ephemeral resources and OIDC reduce exposure, but the real shift is treating secrets handling as an identity governance problem, not a configuration convenience.
At a glance
What this is: This practical integration guide shows how Infisical connects to OpenTofu so secrets can be fetched at runtime, kept out of state, and authenticated with short-lived machine identities.
Why it matters: It matters because infrastructure-as-code teams often solve provisioning without solving credential governance, and that gap affects NHI, CI/CD, and adjacent human access controls.
By the numbers:
- Only 44% of organisations are currently using a dedicated secrets management system.
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
👉 Read Infisical's OpenTofu secrets management integration guide
Context
OpenTofu secrets management is not a convenience layer, it is an identity control problem. OpenTofu can provision infrastructure cleanly, but the moment credentials enter plan output, apply execution, or state storage, the programme inherits the same exposure patterns that have made secrets sprawl persistent across modern delivery pipelines.
Infisical’s guide focuses on runtime secret injection, ephemeral resources, and OIDC-based machine identity authentication because those are the control points that change the security outcome. For teams that still rely on static files, environment variables, or ad hoc pipeline credentials, the issue is not tooling preference. It is whether identity governance is applied before the secret reaches code, logs, or state.
Key questions
Q: How should teams keep OpenTofu secrets out of state files?
A: Use runtime secret retrieval patterns that fetch values only during execution, then discard them before the run completes. Ephemeral resources are the strongest option because they avoid persisting sensitive values in state, while state encryption should remain a secondary safeguard rather than the primary control.
Q: Why do OpenTofu workflows create secrets risk even when state is encrypted?
A: Because encryption at rest does not remove exposure during planning, applying, or logging. Secrets can still appear in variables, environment values, provider calls, and memory while the run executes, so the real control objective is to prevent persistent secret copies from forming in the first place.
Q: What do security teams get wrong about using environment variables for secrets?
A: They often assume environment variables are safer than files, which is only partly true. They reduce obvious source-code exposure, but they can still be dumped, logged, inspected by other processes, or captured in crash reports, so they are not a complete secrets governance model.
Q: Who is accountable for OpenTofu secret handling in CI/CD pipelines?
A: Accountability sits with the team that owns the pipeline, the state backend, and the secret source, because all three shape the exposure boundary. A secure design should combine short-lived machine identity, narrow access scope, and separation between deployment access and secret administration.
Technical breakdown
Why OpenTofu secrets leak across plan, apply, and state
OpenTofu is designed to orchestrate infrastructure, not to manage secret lifecycle. During plan, values may be loaded from variables or environment settings to validate configuration. During apply, those values can travel through provider calls and logs. During state persistence, resource attributes may be written into the state file unless a different pattern is used. Native state encryption protects data at rest, but it does not eliminate in-memory exposure or logging risk during execution. That distinction matters because many teams mistake encrypted state for end-to-end secret protection when it is only one layer of control.
Practical implication: Treat state encryption as necessary but insufficient, and remove secrets from execution paths wherever possible.
Ephemeral resources vs data sources in runtime secret injection
Ephemeral resources change the persistence model. Instead of writing secret values into the state file, they fetch them during execution and release them after the run completes. Data sources can still work for less sensitive values, but they keep a wider exposure surface because their outputs may be stored in state. The architectural difference is simple: one model treats secret retrieval as transient runtime access, while the other treats it as an ordinary configuration lookup. For sensitive database credentials or API keys, that distinction is the difference between temporary use and durable exposure.
Practical implication: Use ephemeral resources for high-value credentials and reserve data sources for values that can safely persist.
OIDC and Universal Auth as machine identity controls
The bootstrapping problem appears whenever a pipeline needs credentials in order to retrieve credentials. OIDC breaks that loop by letting the CI platform assert identity and exchange a short-lived token for access without storing long-lived secrets. Universal Auth is the fallback when OIDC is unavailable, but it still introduces a client secret that must be stored, scoped, and rotated. In identity terms, OIDC reduces standing privilege, while Universal Auth reduces only some of the operational burden. That difference is central to how teams should evaluate pipeline authentication patterns.
Practical implication: Prefer OIDC for CI/CD authentication and treat Universal Auth as a constrained fallback rather than the default pattern.
NHI Mgmt Group analysis
OpenTofu secrets management fails when teams confuse provisioning with credential governance. Infrastructure code can be correct while the identity layer remains unsafe, because plan output, apply execution, and state storage all create separate leak surfaces. That is why this topic belongs in NHI governance rather than pure DevOps practice. Practitioners should treat every IaC workflow as a credential handling workflow first.
Runtime secret injection is the control shift that matters, not storage format alone. The important distinction is whether secrets exist only long enough to be consumed or whether they persist beyond the execution window. Ephemeral resources narrow the blast radius by removing durable secret copies from state, which is exactly the kind of lifecycle boundary NHI programmes need to enforce. The practical conclusion is to classify persistence as the risk, not just exposure.
Bootstrapping secrets access with static credentials recreates the problem you are trying to solve. If a pipeline must store a long-lived secret to retrieve other secrets, the access chain has already lost its governance discipline. OIDC changes the model by using federated identity and short-lived assertion-based access instead of a standing credential. Practitioners should recognise this as a machine identity control issue, not merely a convenience feature.
Standing secret exposure window: OpenTofu workflows that rely on .tfvars files, environment variables, or state-backed data sources create durable opportunities for credential reuse and leakage. This is the failure mode the guide is really describing. The implication is that teams need to govern when secrets exist, where they can surface, and which execution states are allowed to persist them. That is a lifecycle problem, not a formatting problem.
The market signal is convergence around runtime governance for machine identity. Teams are moving away from brittle glue code and toward systems that combine secret retrieval, authentication, and auditability in one operational flow. That suggests the category is maturing beyond storage into access orchestration. Practitioners should expect OpenTofu integrations to be judged on lifecycle control, not just on whether they can return a value.
From our research:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.
- That is why the Guide to the Secret Sprawl Challenge is the next resource to review if your programme still treats secrets as a code-only problem.
What this signals
Runtime secret governance is becoming a baseline control, not an advanced pattern. As infrastructure teams adopt OpenTofu and similar tooling, the programme question shifts from whether secrets can be injected to whether they can be injected without persistence. The practical test is simple: if a credential can appear in plan output, state, logs, or a reusable pipeline secret, it is still governed as a standing asset rather than a transient one. Teams should expect audit conversations to move in that direction.
Ephemeral credential handling is the concept worth naming and standardising. It describes a model where access exists only long enough for the infrastructure action to complete, then disappears before it can be reused or certified. That matters because identity reviews, rotation policies, and incident response are all weaker when the secret never had a stable lifecycle boundary. The programme implication is to align secret handling with lifecycle control, not with deployment convenience.
With 88% of security professionals already concerned about secrets sprawl, the governance pressure is no longer theoretical, and OpenTofu integrations will be judged on whether they remove secret persistence rather than merely hiding it in another layer. This is where machine identity, CI/CD design, and state management converge into one operating model.
For practitioners
- Replace static secret injection with runtime retrieval Move sensitive credentials out of .tfvars files, hardcoded values, and long-lived environment variables. Use runtime fetch patterns so secrets exist only during execution and are not copied into state or version history.
- Adopt ephemeral resources for sensitive values Use ephemeral secret resources for database passwords, API keys, and other high-value credentials so they never persist in the state file. Reserve ordinary data sources for low-risk configuration values that can safely survive the run.
- Prefer OIDC over stored pipeline credentials Configure CI/CD to exchange short-lived identity assertions instead of storing a reusable client secret. Keep Universal Auth only for environments that cannot support OIDC, and constrain it to the narrowest possible scope.
- Separate read and write identities Give deployment pipelines read-only access to the secrets they need and keep secret administration behind a separate identity. That limits what a compromised runner can retrieve or alter during an infrastructure change.
Key takeaways
- OpenTofu creates a secrets governance problem whenever credentials persist across plan, apply, or state workflows.
- Runtime retrieval and ephemeral resources materially reduce exposure because they remove durable secret copies from the execution path.
- Teams that still rely on static pipeline credentials should reframe the issue as machine identity governance, not as a tooling preference.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers secret handling and rotation risks exposed by OpenTofu workflows. |
| NIST CSF 2.0 | PR.AC-4 | Access management and least privilege apply to machine identities used in CI/CD. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | OIDC-based short-lived authentication aligns with zero-trust access to secrets systems. |
Map pipeline identities to least-privilege access and separate deploy from admin entitlements.
Key terms
- Ephemeral Secret: A secret fetched only for the duration of a single run and not written to persistent storage. In OpenTofu workflows, this reduces the chance that passwords, API keys, or tokens survive in state files, logs, or version control after execution completes.
- Machine Identity: The identity used by software, CI/CD runners, and other non-human actors to authenticate to systems and retrieve resources. In this context, it should be short-lived, narrowly scoped, and separable from human access so that deployment automation does not inherit standing privilege.
- Standing Secret Exposure: A condition where a credential persists long enough to be reused, copied, logged, or extracted from state, memory, or pipeline artefacts. This is the core governance problem in many IaC environments because the secret survives beyond the action that needed it.
- Runtime Secret Injection: The practice of retrieving sensitive values during execution instead of embedding them in code, variables, or state. It is a control pattern for machine identity and secrets governance that narrows exposure to the shortest possible lifecycle boundary.
What's in the full article
Infisical's full blog post covers the operational detail this post intentionally leaves for the source:
- The provider configuration examples for both Terraform-compatible and OpenTofu-specific execution flows.
- The GitHub Actions workflow details that show how OIDC is wired into CI/CD authentication.
- The full Vault comparison, including the operational overhead the integration guide contrasts against.
- The production deployment example with directory layout, backend settings, and resource definitions.
👉 The full Infisical guide covers provider configuration, CI/CD auth, and Vault migration details.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org