GCP Authentication and Authorization
Terrateam needs permission to access resources in your GCP account.
Credentials are never stored on our servers.
These instructions require you to run commands from a terminal.
Create a Terrateam service account
A dedicated service account is used to access GCP resources.
- Get your Project ID
gcloud projects list
- Export your Project ID
- Create a
gcloud iam service-accounts create terrateam \ --description="Terrateam" \ --display-name="Terrateam" \ --project="$PROJECT_ID"
- Add the
roles/editorIAM policy binding
gcloud projects add-iam-policy-binding "$PROJECT_ID" \ --member="serviceAccount:terrateam@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/editor"
roles/editor is a predefined GCP IAM role.
Permissions for this role include view, create, update, and delete for most Google Cloud resources.
This role is merely a suggestion. Choose whichever role makes the most sense for your organization.
- Create and download the service account key
gcloud iam service-accounts keys create terrateam-service-account-key.json \ --iam-account="terrateam@$PROJECT_ID.iam.gserviceaccount.com"
The service account key is now downloaded to your machine as
Add Credentials to GitHub Secrets
Credentials are securely stored in GitHub Secrets and exposed as obfuscated environment variables in the Terrateam GitHub Action runtime environment.
- Export your Terraform
organization/repocombination as an environment variable.
- Create the GCP Service Account Key GitHub Secret.
gh secret --repo "$REPO" set GOOGLE_CREDENTIALS < terrateam-service-account-key.json
GCP Terraform Provider
The GCP Terraform provider (opens in a new tab)
will detect and use the
GOOGLE_CREDENTIALS GitHub Secret automatically set in the Terrateam
GitHub Action runtime environment.