This article will cover how to create a terraform service-account in Google Cloud Platform, and how to generate and use its credentials locally.
We are going to need to authenticate to GCP to use terraform. The recommended way to do that according to the Google Cloud Platform Documentation, is to create a service account for terraform, and give it the necessary access for it to create infrastructure.
If you haven’t already, run the below command to initialize your GCP workspace and select a default GCP project. Grab your PROJECT_ID
.
gcloud init
Now that you are logged in to GCP and have your PROJECT_ID
saved, create a new service account to be used by terraform.
gcloud iam service-accounts create terraform --display-name "Terraform account"
Now that your terraform service account is created, generate the config locally so we can use it to authenticate to GCP as the terraform service acct. Do not forget to substitute PROJECT_ID
with your own value.
gcloud iam service-accounts keys create ~/.config/gcloud/PROJECT_ID.json --iam-account terraform@$PROJECT_ID.iam.gserviceaccount.com
Note: you will need to re-generate the credential file via this step every time you add new access permissions to the chosen service account.
We now have a terraform service account, and its corresponding credentials pulled locally. The next step is to configure your environment for the Google Cloud Terraform provider by substitution your PROJECT_ID
value and running
export GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/PROJECT_ID.json
The terraform command is finally ready to be used. It is now able to correctly link to the terraform service account we created using the above exported credentials. However, the “fresh” service-account, does not have any permissions given to it. So terraform is not going to be authorized to create any infrastructure unless we give it permission to do so. You might need to find out which permission needed for your chosen infrastructure, but for a GCS bucket example, below is how we add the permissions needed to the terraform service account. Do not forget to change PROJECT_ID
to your own value.
Grant the service account permission to view the GCP Project
gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:terraform@PROJECT_ID.iam.gserviceaccount.com --role roles/viewer
Grant the service account permission to manage Cloud Storage
gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:terraform@PROJECT_ID.iam.gserviceaccount.com --role roles/storage.admin
If you encounter any billing issues, it is probably because the corresponding service does not have billing enabled. You can fix that by enabling all the APIs required for terraform to perform needed actions.
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudbilling.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable storage.googleapis.com
gcloud services enable serviceusage.googleapis.com
You can now run terraform init with an existing terraform config to test the connection to GCP and verify the permissions are set up correctly.
successful terraform init
Tada 🎉🎉🎉 You now meet all the necessary conditions to be able to run a terraform plan.
Top comments (0)