GCP Authentication and Authorization
Terrateam needs permission to access resources in your GCP account.
Credentials are never stored on our servers.
A dedicated service account is used to access GCP resources.
- Get your Project ID
gcloud projects list
- Export your Project ID
- Create a
gcloud iam service-accounts create terrateam \ --description="Terrateam" \ --display-name="Terrateam" \ --project="$PROJECT_ID"
- Add the
roles/editorIAM policy binding
gcloud projects add-iam-policy-binding "$PROJECT_ID" \ --member="serviceAccount:terrateam@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/editor"
roles/editor is a predefined GCP IAM role.
Permissions for this role include view, create, update, and delete for most Google Cloud resources.
This role is merely a suggestion. Choose whichever role makes the most sense for your organization.
- Create and download the service account key
gcloud iam service-accounts keys create terrateam-service-account-key.json \ --iam-account="terrateam@$PROJECT_ID.iam.gserviceaccount.com"
The service account key is now downloaded to your machine as
Credentials are securely stored in GitHub Secrets and exposed as obfuscated environment variables in the Terrateam GitHub Action runtime environment.
- Export your Terraform
organization/repocombination as an environment variable.
- Create the GCP Service Account Key GitHub Secret.
gh secret --repo "$REPO" set GOOGLE_CREDENTIALS < terrateam-service-account-key.json
The GCP Terraform provider
will detect and use the
GOOGLE_CREDENTIALS GitHub Secret automatically set in the Terrateam
GitHub Action runtime environment.