diff --git a/README.md b/README.md
index b01125e..43b0d68 100644
--- a/README.md
+++ b/README.md
@@ -101,7 +101,7 @@ The above custom role is similar to the "write" pre-existing role, but blocks ac
 | <a name="input_agent_role_arns"></a> [agent\_role\_arns](#input\_agent\_role\_arns) | IAM role ARNs used by Terraform Cloud Agent to assume role in the created account | `list(string)` | `null` | no |
 | <a name="input_allow_destroy_plan"></a> [allow\_destroy\_plan](#input\_allow\_destroy\_plan) | Whether destroy plans can be queued on the workspace | `bool` | `true` | no |
 | <a name="input_assessments_enabled"></a> [assessments\_enabled](#input\_assessments\_enabled) | Whether to regularly run health assessments such as drift detection on the workspace | `bool` | `true` | no |
-| <a name="input_auth_method"></a> [auth\_method](#input\_auth\_method) | Configures how the workspace authenticates with the AWS account (can be iam\_user, iam\_role, or iam\_role\_oidc) | `string` | `"iam_user"` | no |
+| <a name="input_auth_method"></a> [auth\_method](#input\_auth\_method) | Configures how the workspace authenticates with the AWS account (can be iam\_user, iam\_role, or iam\_role\_oidc) | `string` | `"iam_role_oidc"` | no |
 | <a name="input_auto_apply"></a> [auto\_apply](#input\_auto\_apply) | Whether to automatically apply changes when a Terraform plan is successful | `bool` | `false` | no |
 | <a name="input_auto_apply_run_trigger"></a> [auto\_apply\_run\_trigger](#input\_auto\_apply\_run\_trigger) | Whether to automatically apply changes for runs that were created by run triggers from another workspace | `bool` | `false` | no |
 | <a name="input_branch"></a> [branch](#input\_branch) | The git branch to trigger the TFE workspace for | `string` | `"main"` | no |
diff --git a/UPGRADING.md b/UPGRADING.md
index a6cf3d1..22e47a3 100644
--- a/UPGRADING.md
+++ b/UPGRADING.md
@@ -5,6 +5,7 @@ This document captures breaking changes.
 ### Variables
 
 - `notification_configuration` has been modified from a `list(object)` to a `map(object)`. They key should be the name of the notification configuration as it will be displayed in Terraform Cloud.
+- The default `auth_method` has been modified from `iam_user` to `iam_role_oidc`.
 
 ## Upgrading to v1.0.0
 
diff --git a/variables.tf b/variables.tf
index 454daa0..c0d5ba3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -35,7 +35,7 @@ variable "assessments_enabled" {
 
 variable "auth_method" {
   type        = string
-  default     = "iam_user"
+  default     = "iam_role_oidc"
   description = "Configures how the workspace authenticates with the AWS account (can be iam_user, iam_role, or iam_role_oidc)"
 
   validation {