Using GCloud service accounts in Terraform

Now that you are comfortably using ServiceAccounts to interact securely with GCP, are you still not using it? Refer to this Teratip Secure your access to GCloud cli with Service Accounts and start doing so, you want to use it with Terraform too.

Terraform requires setting a Token, which gives it access to the GCP API using a different identity. This token can be obtained with the gcloud cli and then exported to a variable. Once you do this, terraform will pick it up automatically and use it for every operation - even for the state reading. These tokens are short-lived -1 hour by default, so decrease our attack surface.

In summary, you need to use Terraform like this for it to work every time:

GOOGLE_OAUTH_ACCESS_TOKEN=`gcloud --impersonate-service-account=${SERVICE_ACCOUNT} auth print-access-token` terraform <commands>

Alternatively, you can just export the variable once and then use the normal terraform commands for one hour. After that time you need to request a new token and export it again:

export GOOGLE_OAUTH_ACCESS_TOKEN=`gcloud --impersonate-service-account=${SERVICE_ACCOUNT} auth print-access-token.

If you are interested in learning more about our TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs.

Carlos Barroso

Senior MLOps Engineer

#Teracloud #TeraTips #Teracloud #Gcloud #security #Terraform

Follow us on our social networks for more TeraTips

Entradas recientes
Buscar por tags