• Docs
  • Cloud Provider Setup
  • GCP

GCP Authentication and Authorization

Terrateam needs permission to access resources in your GCP account.

Credentials are never stored on our servers.


Create a Terrateam service account

A dedicated service account is used to access GCP resources.

  1. Get your Project ID
gcloud projects list
  1. Export your Project ID
export PROJECT_ID="<project-id>"
  1. Create a terrateam service account
gcloud iam service-accounts create terrateam \
--description="Terrateam" \
--display-name="Terrateam" \
  1. Add the roles/editor IAM policy binding
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:terrateam@$PROJECT_ID.iam.gserviceaccount.com" \

roles/editor is a predefined GCP IAM role.

Permissions for this role include view, create, update, and delete for most Google Cloud resources.

This role is merely a suggestion. Choose whichever role makes the most sense for your organization.

  1. Create and download the service account key
gcloud iam service-accounts keys create terrateam-service-account-key.json \

The service account key is now downloaded to your machine as terrateam-service-account-key.json.

Add Credentials to GitHub Secrets

Credentials are securely stored in GitHub Secrets and exposed as obfuscated environment variables in the Terrateam GitHub Action runtime environment.

  1. Export your Terraform organization/repo combination as an environment variable.

For example:

export REPO="<OWNER/REPO>"
  1. Create the GCP Service Account Key GitHub Secret.
gh secret --repo "$REPO" set GOOGLE_CREDENTIALS < terrateam-service-account-key.json

GCP Terraform Provider

The GCP Terraform provider will detect and use the GOOGLE_CREDENTIALS GitHub Secret automatically set in the Terrateam GitHub Action runtime environment.