docs/src/data/changelog/v1.1.0/opt-out-auth-enabled-by-default.mdx
import { Aside } from '@astrojs/starlight/components'
--no-discovery-auth-provider-cmdBy default, Terragrunt runs your --auth-provider-cmd once for every unit it discovers, so HCL functions that need credentials resolve correctly during parsing. In a large repository, that can mean hundreds of invocations before any unit runs, which can dominate wall-clock time on change-based runs.
The --no-discovery-auth-provider-cmd flag (env: TG_NO_DISCOVERY_AUTH_PROVIDER_CMD) skips those invocations during the discovery phase, leaving auth to run only for the units that actually execute:
terragrunt run --all \
--no-discovery-auth-provider-cmd \
--queue-include-units-reading=./changed-file.txt \
-- plan
Previously gated behind the opt-out-auth experiment, the flag now works without --experiment opt-out-auth.