meshCLI: Login with your personal meshStack identity for use in the Terraform provider
Jelle den Burger
Problem / Use Case
When using the meshStack Terraform provider, authentication currently requires a long-lived API key (client ID + secret). This means every developer or platform engineer who wants to run
terraform plan
or terraform apply
locally must either:- Create and manage a personal API key, or
- Share a team/service-account API key — reducing auditability and violating least-privilege principles.
There is no way to authenticate as your personal meshStack user (e.g. via SSO / Entra ID) when using the Terraform provider. This is a gap compared to other cloud provider CLI experiences, such as
az login
(Azure), gcloud auth login
(GCP), or aws sso login
(AWS), where a one-time interactive browser login gives the CLI and Terraform provider access to your personal identity.Value / Impact
A meshCLI with a
meshcli login
command (or equivalent) would allow platform engineers and application team members to:- Authenticate once using their corporate SSO identity (Entra ID, Okta, etc.) via a browser popup.
- Have the meshStack Terraform provider automatically pick up the resulting short-lived token — no long-lived secrets required.
- Improve auditability: all API calls and Terraform operations are attributed to the real user, not a shared service account.
- Reduce the operational burden of managing, rotating, and distributing API keys for local development workflows.
This would bring meshStack's developer experience in line with modern cloud CLI tooling and support zero-standing-privileges / short-lived credential patterns.
Andreas Grub
Manuel Müller Well, kind of yes, the CLI can be a good tool to be used by Copilot, but impersonating a user from an agent session (running with the Microsoft (or GitHub?) identity of a user, I don't know MS Copilot Studio at all to be honest) would require some more work concerning the trust relationship against the meshStack identity provider so you can login there with your Microsoft/GitHub identity. The feature request here is much simpler in this regard as it intends to re-use the login used to access the meshStack Panel UI (using an internal UI API) also against meshStack's Public API in a convenient manner, which eventually makes usage of our Terraform provider more convenient (no need to manually create/manage/store API keys anymore). Feel free to raise another Feature Request here, in particular explaining what your use case would be.
Manuel Müller
Would this enable us to use on-behalf-of (OBO) flow with Microsoft Copilot Studio?