GCP Authentication and Authorization

Terrateam needs permission to access resources in your GCP account.

Credentials are never stored on our servers.

Prerequisites

These instructions require you to run commands from a terminal.

Create a Terrateam service account

A dedicated service account is used to access GCP resources.

Get your Project ID

gcloud projects list

Export your Project ID

export PROJECT_ID="<project-id>"

Create a terrateam service account

gcloud iam service-accounts create terrateam \
--description="Terrateam" \
--display-name="Terrateam" \
--project="$PROJECT_ID"

Add the roles/editor IAM policy binding

gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:terrateam@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/editor"

roles/editor is a predefined GCP IAM role.

Permissions for this role include view, create, update, and delete for most Google Cloud resources.

This role is merely a suggestion. Choose whichever role makes the most sense for your organization.

Create and download the service account key

gcloud iam service-accounts keys create terrateam-service-account-key.json \
--iam-account="terrateam@$PROJECT_ID.iam.gserviceaccount.com"

The service account key is now downloaded to your machine as terrateam-service-account-key.json.

Add Credentials to GitHub Secrets

Credentials are securely stored in GitHub Secrets and exposed as obfuscated environment variables in the Terrateam GitHub Action runtime environment.

Export your Terraform organization/repo combination as an environment variable.

For example:

export REPO="<OWNER/REPO>"

Create the GCP Service Account Key GitHub Secret.

gh secret --repo "$REPO" set GOOGLE_CREDENTIALS < terrateam-service-account-key.json

GCP Terraform Provider

The GCP Terraform provider (opens in a new tab) will detect and use the GOOGLE_CREDENTIALS GitHub Secret automatically set in the Terrateam GitHub Action runtime environment.

Azure Other