Docs
Cloud Provider Setup
GCP

GCP Authentication and Authorization

Terrateam needs permission to access resources in your GCP account.

Credentials are never stored on our servers.

Prerequisites

These instructions require you to run commands from a terminal.

Create a Terrateam service account

A dedicated service account is used to access GCP resources.

  1. Get your Project ID
gcloud projects list
  1. Export your Project ID
export PROJECT_ID="<project-id>"
  1. Create a terrateam service account
gcloud iam service-accounts create terrateam \
--description="Terrateam" \
--display-name="Terrateam" \
--project="$PROJECT_ID"
  1. Add the roles/editor IAM policy binding
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:terrateam@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/editor"

roles/editor is a predefined GCP IAM role.

Permissions for this role include view, create, update, and delete for most Google Cloud resources.

This role is merely a suggestion. Choose whichever role makes the most sense for your organization.

  1. Create and download the service account key
gcloud iam service-accounts keys create terrateam-service-account-key.json \
--iam-account="terrateam@$PROJECT_ID.iam.gserviceaccount.com"

The service account key is now downloaded to your machine as terrateam-service-account-key.json.

Add Credentials to GitHub Secrets

Credentials are securely stored in GitHub Secrets and exposed as obfuscated environment variables in the Terrateam GitHub Action runtime environment.

  1. Export your Terraform organization/repo combination as an environment variable.

For example:

export REPO="<OWNER/REPO>"
  1. Create the GCP Service Account Key GitHub Secret.
gh secret --repo "$REPO" set GOOGLE_CREDENTIALS < terrateam-service-account-key.json

GCP Terraform Provider

The GCP Terraform provider (opens in a new tab) will detect and use the GOOGLE_CREDENTIALS GitHub Secret automatically set in the Terrateam GitHub Action runtime environment.