This article will cover how to create a terraform service-account in Google Cloud Platform, and how to generate and use its credentials locally.

We are going to need to authenticate to GCP to use terraform. The recommended way to do that according to the Google Cloud Platform Documentation, is to create a service account for terraform, and give it the necessary access for it to create infrastructure.

If you haven’t already, run the below command to initialize your GCP workspace and select a default GCP project. Grab your PROJECT_ID .

gcloud init

Now that you are logged in to GCP and have your PROJECT_ID saved, create a new service account to be used by terraform.

gcloud iam service-accounts create terraform  --display-name "Terraform account"

Now that your terraform service account is created, generate the config locally so we can use it to authenticate to GCP as the terraform service acct. Do not forget to substitute PROJECT_ID with your own value.

gcloud iam service-accounts keys create ~/.config/gcloud/PROJECT_ID.json --iam-account terraform@$PROJECT_ID.iam.gserviceaccount.com

Note: you will need to re-generate the credential file via this step every time you add new access permissions to the chosen service account.

We now have a terraform service account, and its corresponding credentials pulled locally. The next step is to configure your environment for the Google Cloud Terraform provider by substitution your PROJECT_ID value and running

export GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/PROJECT_ID.json

The terraform command is finally ready to be used. It is now able to correctly link to the terraform service account we created using the above exported credentials. However, the “fresh” service-account, does not have any permissions given to it. So terraform is not going to be authorized to create any infrastructure unless we give it permission to do so. You might need to find out which permission needed for your chosen infrastructure, but for a GCS bucket example, below is how we add the permissions needed to the terraform service account. Do not forget to change PROJECT_ID to your own value.

Grant the service account permission to view the GCP Project

gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:terraform@PROJECT_ID.iam.gserviceaccount.com --role roles/viewer

Grant the service account permission to manage Cloud Storage

gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:terraform@PROJECT_ID.iam.gserviceaccount.com --role roles/storage.admin

If you encounter any billing issues, it is probably because the corresponding service does not have billing enabled. You can fix that by enabling all the APIs required for terraform to perform needed actions.

gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudbilling.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable storage.googleapis.com
gcloud services enable serviceusage.googleapis.com

You can now run terraform init with an existing terraform config to test the connection to GCP and verify the permissions are set up correctly.

successful terraform init
Tada 🎉🎉🎉 You now meet all the necessary conditions to be able to run a terraform plan.