hashicorp · tyrannosaurus-becks · May 21, 2020 · Apr 15, 2020 · Apr 15, 2020 · Apr 16, 2020
diff --git a/vault/provider.go b/vault/provider.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"net/http"
 	"os"
 	"strings"
 
@@ -157,6 +158,26 @@ func Provider() terraform.ResourceProvider {
 				DefaultFunc: schema.EnvDefaultFunc("VAULT_NAMESPACE", ""),
 				Description: "The namespace to use. Available only for Vault Enterprise",
 			},
+			"headers": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Sensitive:   true,
+				Description: "The headers to send with each Vault request.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Description: "The header name",
+						},
+						"value": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Description: "The header value",
+						},
+					},
+				},
+			},
 		},
 		ConfigureFunc:  providerConfigure,
 		DataSourcesMap: dataSourcesMap,
@@ -637,6 +658,21 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to configure Vault API: %s", err)
 	}
+	// Set headers if provided
+	headers := d.Get("headers").([]interface{})
+	parsedHeaders := client.Headers().Clone()
+
+	if parsedHeaders == nil {
+		parsedHeaders = make(http.Header)
+	}
+
+	for _, h := range headers {
+		header := h.(map[string]interface{})
+		if name, ok := header["name"]; ok {
+			parsedHeaders.Add(name.(string), header["value"].(string))
+		}
+	}
+	client.SetHeaders(parsedHeaders)
 
 	client.SetMaxRetries(d.Get("max_retries").(int))
 

diff --git a/vault/provider_test.go b/vault/provider_test.go
@@ -174,6 +174,29 @@ func TestAccAuthLoginProviderConfigure(t *testing.T) {
 	}
 }
 
+func TestTokenReadProviderConfigureWithHeaders(t *testing.T) {
+	rootProvider := Provider().(*schema.Provider)
+
+	rootProviderResource := &schema.Resource{
+		Schema: rootProvider.Schema,
+	}
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testHeaderConfig("auth", "123"),
+				Check:  testTokenName_check("token-testtoken"),
+			},
+		},
+	})
+
+	rootProviderData := rootProviderResource.TestResourceData()
+	if _, err := providerConfigure(rootProviderData); err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestAccNamespaceProviderConfigure(t *testing.T) {
 	isEnterprise := os.Getenv("TF_ACC_ENTERPRISE")
 	if isEnterprise == "" {
@@ -584,6 +607,23 @@ func TestAccTokenName(t *testing.T) {
 	}
 }
 
+func testHeaderConfig(headerName, headerValue string) string {
+	providerConfig := fmt.Sprintf(`
+	provider "vault" {
+		headers {
+			name  = "%s" 
+			value = "%s"
+		}
+		token_name = "testtoken"
+	}
+
+	data "vault_generic_secret" "test" {
+		path = "/auth/token/lookup-self"
+	}
+	`, headerName, headerValue)
+	return providerConfig
+}
+
 // Using the data lookup generic_secret to inspect used token
 // by terraform (this enables check of token name)
 func testTokenNameConfig(tokenNameSchema bool, tokenName string) string {

diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
@@ -149,6 +149,10 @@ variables in order to keep credential information out of the configuration.
 * `namespace` - (Optional) Set the namespace to use. May be set via the
   `VAULT_NAMESPACE` environment variable. *Available only for Vault Enterprise*.
 
+* `headers` - (Optional) A configuration block, described below, that provides headers
+to be sent along with all requests to the Vault server.  This block can be specified 
+multiple times.
+
 The `auth_login` configuration block accepts the following arguments:
 
 * `path` - (Required) The login path of the auth backend. For example, login with
@@ -171,6 +175,12 @@ The `client_auth` configuration block accepts the following arguments:
 * `key_file` - (Required) Path to a file on local disk that contains the
   PEM-encoded private key for which the authentication certificate was issued.
 
+The `headers` configuration block accepts the following arguments:
+
+* `name` - (Required) The name of the header.
+
+* `value` - (Required) The value of the header.
+
 ## Example Usage
 
 ```hcl