diff --git a/docs/data-sources/external_auth.md b/docs/data-sources/external_auth.md
new file mode 100644
index 00000000..b875b874
--- /dev/null
+++ b/docs/data-sources/external_auth.md
@@ -0,0 +1,24 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "coder_external_auth Data Source - terraform-provider-coder"
+subcategory: ""
+description: |-
+  Use this data source to require users to authenticate with an external service prior to workspace creation. This can be used to pre-authenticate external services in a workspace. (e.g. gcloud, gh, docker, etc)
+---
+
+# coder_external_auth (Data Source)
+
+Use this data source to require users to authenticate with an external service prior to workspace creation. This can be used to pre-authenticate external services in a workspace. (e.g. gcloud, gh, docker, etc)
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `id` (String) The ID of a configured external auth provider set up in your Coder deployment.
+
+### Read-Only
+
+- `access_token` (String) The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.
diff --git a/provider/externalauth.go b/provider/externalauth.go
new file mode 100644
index 00000000..89ab5ecc
--- /dev/null
+++ b/provider/externalauth.go
@@ -0,0 +1,44 @@
+package provider
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+// externalAuthDataSource returns a schema for an external authentication data source.
+func externalAuthDataSource() *schema.Resource {
+	return &schema.Resource{
+		Description: "Use this data source to require users to authenticate with an external service prior to workspace creation. This can be used to pre-authenticate external services in a workspace. (e.g. gcloud, gh, docker, etc)",
+		ReadContext: func(ctx context.Context, rd *schema.ResourceData, i interface{}) diag.Diagnostics {
+			id, ok := rd.Get("id").(string)
+			if !ok || id == "" {
+				return diag.Errorf("id is required")
+			}
+			rd.SetId(id)
+
+			accessToken := os.Getenv(ExternalAuthAccessTokenEnvironmentVariable(id))
+			rd.Set("access_token", accessToken)
+			return nil
+		},
+		Schema: map[string]*schema.Schema{
+			"id": {
+				Type:        schema.TypeString,
+				Description: "The ID of a configured external auth provider set up in your Coder deployment.",
+				Required:    true,
+			},
+			"access_token": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The access token returned by the external auth provider. This can be used to pre-authenticate command-line tools.",
+			},
+		},
+	}
+}
+
+func ExternalAuthAccessTokenEnvironmentVariable(id string) string {
+	return fmt.Sprintf("CODER_EXTERNAL_AUTH_ACCESS_TOKEN_%s", id)
+}
diff --git a/provider/externalauth_test.go b/provider/externalauth_test.go
new file mode 100644
index 00000000..a320684b
--- /dev/null
+++ b/provider/externalauth_test.go
@@ -0,0 +1,44 @@
+package provider_test
+
+import (
+	"testing"
+
+	"github.com/coder/terraform-provider-coder/provider"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestExternalAuth(t *testing.T) {
+	t.Parallel()
+
+	resource.Test(t, resource.TestCase{
+		Providers: map[string]*schema.Provider{
+			"coder": provider.New(),
+		},
+		IsUnitTest: true,
+		Steps: []resource.TestStep{{
+			Config: `
+			provider "coder" {
+			}
+			data "coder_external_auth" "github" {
+				id = "github"
+			}
+			`,
+			Check: func(state *terraform.State) error {
+				require.Len(t, state.Modules, 1)
+				require.Len(t, state.Modules[0].Resources, 1)
+				resource := state.Modules[0].Resources["data.coder_external_auth.github"]
+				require.NotNil(t, resource)
+
+				attribs := resource.Primary.Attributes
+				require.Equal(t, "github", attribs["id"])
+
+				return nil
+			},
+		}},
+	})
+}
diff --git a/provider/gitauth.go b/provider/gitauth.go
index d5cf9a85..aa36d493 100644
--- a/provider/gitauth.go
+++ b/provider/gitauth.go
@@ -12,7 +12,8 @@ import (
 // gitAuthDataSource returns a schema for a Git authentication data source.
 func gitAuthDataSource() *schema.Resource {
 	return &schema.Resource{
-		Description: "Use this data source to require users to authenticate with a Git provider prior to workspace creation. This can be used to perform an authenticated `git clone` in startup scripts.",
+		DeprecationMessage: "Use the `coder_external_auth` data source instead.",
+		Description:        "Use this data source to require users to authenticate with a Git provider prior to workspace creation. This can be used to perform an authenticated `git clone` in startup scripts.",
 		ReadContext: func(ctx context.Context, rd *schema.ResourceData, i interface{}) diag.Diagnostics {
 			rawID, ok := rd.GetOk("id")
 			if !ok {
diff --git a/provider/provider.go b/provider/provider.go
index 9ea6685b..6556146e 100644
--- a/provider/provider.go
+++ b/provider/provider.go
@@ -68,10 +68,11 @@ func New() *schema.Provider {
 			}, nil
 		},
 		DataSourcesMap: map[string]*schema.Resource{
-			"coder_workspace":   workspaceDataSource(),
-			"coder_provisioner": provisionerDataSource(),
-			"coder_parameter":   parameterDataSource(),
-			"coder_git_auth":    gitAuthDataSource(),
+			"coder_workspace":     workspaceDataSource(),
+			"coder_provisioner":   provisionerDataSource(),
+			"coder_parameter":     parameterDataSource(),
+			"coder_git_auth":      gitAuthDataSource(),
+			"coder_external_auth": externalAuthDataSource(),
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"coder_agent":          agentResource(),