February 25, 2026
Your Data Lives in America: Why Europe Needs a Sovereign Data Platform
Europe has no independent data platform. Why digital sovereignty matters now and how DataBaas is building a European data platform.
Recent trade tensions between the US and EU highlight why digital sovereignty matters. European cloud alternatives like OVHcloud are relevant not just for technical or cost reasons, but for control over where your data resides and which jurisdiction governs it.
If you’re using Infrastructure-as-Code with Terraform or OpenTofu on OVHcloud, setting up API credentials and getting started can be a bit tricky. This step-by-step guide shows you how to configure OVH API tokens and deploy your first Object Storage bucket on European infrastructure.
The Provider Situation (It’s a Bit of a Mess)
Before we start: OVHcloud doesn’t have a single, unified Terraform provider. Depending on which resources you need to manage, you’ll need multiple providers:
| Provider | What It Manages |
|---|---|
| ovh/ovh | OVH-specific: Kubernetes, private networks, vRack, DNS, Object Storage, databases |
| openstack | Compute instances, block storage, keypairs, security groups, floating IPs |
| hashicorp/aws | S3-compatible Object Storage operations (alternative to OVH provider) |
OVHcloud’s Public Cloud is built on OpenStack, but not all resources are exposed through the OpenStack API. This makes managing infrastructure-as-code a bit more complex. For this guide, we’ll use the native ovh/ovh provider. More details: OVH Terraform documentation.
What You’ll Need
The OVH Terraform provider requires four authentication parameters:
- OVH_ENDPOINT – Your OVH region (e.g.,
ovh-eufor Europe) - OVH_APPLICATION_KEY – API application identifier
- OVH_APPLICATION_SECRET – API application secret
- OVH_CONSUMER_KEY – API consumer token with delegated rights
You’ll also need your Public Cloud Project ID. Find this in the OVH Control Panel under Project Settings.
Creating OVH API Credentials: Step-by-Step
Step 1: Navigate to the Token Creation Page
Go to the OVH API token creation page for your region:
- Europe: https://eu.api.ovh.com/createToken/
- United States: https://api.us.ovhcloud.com/createToken/
- Canada: https://ca.api.ovh.com/createToken/
Log in with your OVHcloud account credentials.
Step 2: Configure Your Application
Fill in the form with these details:
- Script name:
terraform-infrastructure(or any recognizable identifier) - Script description: Optional description of what this API token is for
- Validity: Unlimited, or 30 days (recommended for infrastructure automation)
Step 3: Grant API Rights (The Critical Step)
This is where it gets interesting. For full Terraform functionality, you need four HTTP methods. Add each by clicking the + button. Use /* as the path for all methods:
| Method | Path | Why It’s Needed |
|---|---|---|
| GET | /* | Read resources and refresh Terraform state |
| POST | /* | Create new resources |
| PUT | /* | Update existing resources |
| DELETE | /* | Remove resources during cleanup |
Important warnings:
- Do NOT add PATCH — this causes an Internal Server Error in the OVH form.
- Use
/*as the path — this grants access to all API endpoints. Empty paths or specific paths like/cloud/*can cause validation errors or unexpected access issues.
Step 4: Generate and Save Credentials
Click “Create keys”. You’ll receive three values: Application Key (AK), Application Secret (AS), Consumer Key (CK). Save these credentials immediately — the Application Secret is only shown once!
Setting Up Your Terraform Project for OVH Cloud
Want to skip right to the code? Check out the repo: github.com/wolkwork/ovh-tofu-example. Otherwise, keep reading.
Create a new directory:
mkdir ovh-terraform && cd ovh-terraformConfigure Environment Variables
Create a .env file with your OVH API credentials. Important: use export for each variable:
# .env
export OVH_ENDPOINT="ovh-eu"
export OVH_APPLICATION_KEY="your_application_key"
export OVH_APPLICATION_SECRET="your_application_secret"
export OVH_CONSUMER_KEY="your_consumer_key"
export TF_VAR_service_name="your_project_id"Add .env to your .gitignore for security:
echo ".env" >> .gitignoreCreate Terraform Configuration Files
provider.tf:
terraform {
required_version = ">= 1.0"
required_providers {
ovh = {
source = "ovh/ovh"
version = "~> 2.1"
}
}
}
provider "ovh" {
# Credentials are automatically loaded from OVH_* environment variables
}variables.tf:
variable "service_name" {
description = "Your OVH Public Cloud project ID"
type = string
}storage.tf:
resource "ovh_cloud_project_storage" "bucket" {
service_name = var.service_name
region_name = "GRA" # Gravelines, France
name = "my-test-bucket"
}Deploying Object Storage with OpenTofu/Terraform
-
Load your .env:
source .env
Verify:echo $OVH_ENDPOINTandecho $TF_VAR_service_name. -
Init:
tofu initorterraform init -
Plan:
tofu planorterraform plan
You should see something like:Plan: 1 to add, 0 to change, 0 to destroy. -
Apply:
tofu applyorterraform apply
Typeyeswhen prompted for confirmation. -
Verify: Go to Public Cloud → Object Storage in the OVH Control Panel to see your new bucket.
Cleaning Up
tofu destroy
# or
terraform destroyType yes to confirm deletion.
Available OVH Cloud Regions for Object Storage
| Region Code | Datacenter Location | Country |
|---|---|---|
| GRA | Gravelines | France |
| SBG | Strasbourg | France |
| BHS | Beauharnois | Canada |
| DE | Frankfurt | Germany |
| UK | London | United Kingdom |
| WAW | Warsaw | Poland |
Common Problems and Solutions
“unknown endpoint ”” – Your environment variables aren’t being exported correctly. Make sure your .env file uses export for each variable and run source .env.
Internal Server Error during token creation – Remove PATCH from the methods list and use /* as the path for all methods.
“This call has not been granted” – Your API token is missing required permissions. Create a new token with GET, POST, PUT, and DELETE methods, all with /* as the path.
“Invalid signature” – Your Application Secret is incorrect or corrupted. Verify that OVH_APPLICATION_SECRET is copied completely without extra spaces or line breaks.
Terraform prompts for service_name – TF_VAR_service_name isn’t set. Verify with echo $TF_VAR_service_name and run source .env again if it’s empty.
Security Best Practices
- Never commit credentials — always add
.envto your.gitignore. - Use environment variables — keep secrets out of your Terraform code.
- Rotate credentials regularly.
- Use separate tokens per environment (dev/staging/prod).
- For production: consider a secret manager (e.g., HashiCorp Vault).
- Limit token validity where possible.
Useful Resources
Configuring OVH API credentials for Terraform doesn’t need to be complex: four HTTP methods (GET, POST, PUT, DELETE) with /*, credentials stored securely in environment variables, and test your setup with a simple Object Storage deployment. Using Infrastructure-as-Code with OVHcloud makes your cloud infrastructure reproducible, version-controlled, and manageable. Whether you use OpenTofu or Terraform, the workflow remains the same. With OVH as a European cloud provider, you maintain control over where your data resides.
Originally by Stijn Meijers on the Wolk Blog.
This article was written by Stijn Meijers Founder & Data Architect at Wolk