GCP Authentication and Authorization
Terrateam needs permission to access resources in your GCP account.
Credentials are never stored on our servers.
Prerequisites
These instructions require you to run commands from a terminal.
Create a Terrateam service account
A dedicated service account is used to access GCP resources.
- Get your Project ID
gcloud projects list
- Export your Project ID
export PROJECT_ID="<project-id>"
- Create a
terrateam
service account
gcloud iam service-accounts create terrateam \
--description="Terrateam" \
--display-name="Terrateam" \
--project="$PROJECT_ID"
- Add the
roles/editor
IAM policy binding
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:terrateam@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/editor"
roles/editor
is a predefined GCP IAM role.
Permissions for this role include view, create, update, and delete for most Google Cloud resources.
This role is merely a suggestion. Choose whichever role makes the most sense for your organization.
- Create and download the service account key
gcloud iam service-accounts keys create terrateam-service-account-key.json \
--iam-account="terrateam@$PROJECT_ID.iam.gserviceaccount.com"
The service account key is now downloaded to your machine as
terrateam-service-account-key.json
.
Add Credentials to GitHub Secrets
Credentials are securely stored in GitHub Secrets and exposed as obfuscated environment variables in the Terrateam GitHub Action runtime environment.
- Export your Terraform
organization/repo
combination as an environment variable.
For example:
export REPO="<OWNER/REPO>"
- Create the GCP Service Account Key GitHub Secret.
gh secret --repo "$REPO" set GOOGLE_CREDENTIALS < terrateam-service-account-key.json
GCP Terraform Provider
The GCP Terraform provider (opens in a new tab)
will detect and use the GOOGLE_CREDENTIALS
GitHub Secret automatically set in the Terrateam
GitHub Action runtime environment.