diff --git a/docs/data-sources/git_auth.md b/docs/data-sources/git_auth.md
new file mode 100644
index 00000000..5573993d
--- /dev/null
+++ b/docs/data-sources/git_auth.md
@@ -0,0 +1,50 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "coder_git_auth Data Source - terraform-provider-coder"
+subcategory: ""
+description: |-
+  Use this data source to require users to authenticate with a Git provider prior to workspace creation. This can be used to perform an authenticated git clone in startup scripts.
+---
+
+# coder_git_auth (Data Source)
+
+Use this data source to require users to authenticate with a Git provider prior to workspace creation. This can be used to perform an authenticated `git clone` in startup scripts.
+
+## Example Usage
+
+```terraform
+provider "coder" {
+}
+
+data "coder_git_auth" "github" {
+  # Matches the ID of the git auth provider in Coder.
+  id = "github"
+}
+
+resource "coder_agent" "dev" {
+  os   = "linux"
+  arch = "amd64"
+  dir  = "~/coder"
+  env = {
+    GITHUB_TOKEN : data.coder_git_auth.github.access_token
+  }
+  startup_script = <<EOF
+if [ ! -d ~/coder ]; then
+    git clone https://github.com/coder/coder
+fi
+EOF
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `id` (String) The identifier of a configured git auth provider set up in your Coder deployment.
+
+### Read-Only
+
+- `access_token` (String) The access token returned by the git authentication provider. This can be used to pre-authenticate command-line tools.
+
+
diff --git a/examples/data-sources/coder_git_auth/data-source.tf b/examples/data-sources/coder_git_auth/data-source.tf
new file mode 100644
index 00000000..eeed89aa
--- /dev/null
+++ b/examples/data-sources/coder_git_auth/data-source.tf
@@ -0,0 +1,21 @@
+provider "coder" {
+}
+
+data "coder_git_auth" "github" {
+  # Matches the ID of the git auth provider in Coder.
+  id = "github"
+}
+
+resource "coder_agent" "dev" {
+  os   = "linux"
+  arch = "amd64"
+  dir  = "~/coder"
+  env = {
+    GITHUB_TOKEN : data.coder_git_auth.github.access_token
+  }
+  startup_script = <<EOF
+if [ ! -d ~/coder ]; then
+    git clone https://github.com/coder/coder
+fi
+EOF
+}
\ No newline at end of file
diff --git a/provider/gitauth.go b/provider/gitauth.go
new file mode 100644
index 00000000..d5cf9a85
--- /dev/null
+++ b/provider/gitauth.go
@@ -0,0 +1,49 @@
+package provider
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+// gitAuthDataSource returns a schema for a Git authentication data source.
+func gitAuthDataSource() *schema.Resource {
+	return &schema.Resource{
+		Description: "Use this data source to require users to authenticate with a Git provider prior to workspace creation. This can be used to perform an authenticated `git clone` in startup scripts.",
+		ReadContext: func(ctx context.Context, rd *schema.ResourceData, i interface{}) diag.Diagnostics {
+			rawID, ok := rd.GetOk("id")
+			if !ok {
+				return diag.Errorf("id is required")
+			}
+			id, ok := rawID.(string)
+			if !ok {
+				return diag.Errorf("unexpected type %q for id", rawID)
+			}
+			rd.SetId(id)
+
+			accessToken := os.Getenv(GitAuthAccessTokenEnvironmentVariable(id))
+			rd.Set("access_token", accessToken)
+
+			return nil
+		},
+		Schema: map[string]*schema.Schema{
+			"id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The identifier of a configured git auth provider set up in your Coder deployment.",
+			},
+			"access_token": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The access token returned by the git authentication provider. This can be used to pre-authenticate command-line tools.",
+			},
+		},
+	}
+}
+
+func GitAuthAccessTokenEnvironmentVariable(id string) string {
+	return fmt.Sprintf("CODER_GIT_AUTH_ACCESS_TOKEN_%s", id)
+}
diff --git a/provider/gitauth_test.go b/provider/gitauth_test.go
new file mode 100644
index 00000000..481d79f5
--- /dev/null
+++ b/provider/gitauth_test.go
@@ -0,0 +1,44 @@
+package provider_test
+
+import (
+	"testing"
+
+	"github.com/coder/terraform-provider-coder/provider"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGitAuth(t *testing.T) {
+	t.Parallel()
+
+	resource.Test(t, resource.TestCase{
+		Providers: map[string]*schema.Provider{
+			"coder": provider.New(),
+		},
+		IsUnitTest: true,
+		Steps: []resource.TestStep{{
+			Config: `
+			provider "coder" {
+			}
+			data "coder_git_auth" "github" {
+				id = "github"
+			}
+			`,
+			Check: func(state *terraform.State) error {
+				require.Len(t, state.Modules, 1)
+				require.Len(t, state.Modules[0].Resources, 1)
+				resource := state.Modules[0].Resources["data.coder_git_auth.github"]
+				require.NotNil(t, resource)
+
+				attribs := resource.Primary.Attributes
+				require.Equal(t, "github", attribs["id"])
+
+				return nil
+			},
+		}},
+	})
+}
diff --git a/provider/provider.go b/provider/provider.go
index 147b0187..a77774cd 100644
--- a/provider/provider.go
+++ b/provider/provider.go
@@ -69,6 +69,7 @@ func New() *schema.Provider {
 			"coder_workspace":   workspaceDataSource(),
 			"coder_provisioner": provisionerDataSource(),
 			"coder_parameter":   parameterDataSource(),
+			"coder_git_auth":    gitAuthDataSource(),
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"coder_agent":          agentResource(),