Terraform is likely one of the hottest open supply infrastructure-as-code instruments on the market, and it really works nice for managing sources on Google Cloud. If you’re simply kicking the tires and studying methods to use Terraform with Google Cloud, having the proprietor function on the venture and operating Terraform your self makes issues very straightforward. That’s as a result of with limitless permissions, you may concentrate on understanding the syntax and performance with out getting distracted by any points brought on by lacking IAM permissions.
Nevertheless, when you’re previous that, or if it’s simply not potential within the venture you’re working from, it’s a good suggestion to restrict your individual permissions and get into the behavior of operating your Terraform code as a number of service accounts with simply the suitable set of IAM roles. A service account is a particular sort of account that’s usually utilized by functions and digital machines in your Google Cloud venture to entry APIs and providers. Functions and customers can authenticate as a service account utilizing generated service account keys.
The draw back to this method is that it creates a safety danger as quickly as the secret’s generated and distributed. Any person with entry to a service account key, whether or not approved or not, will be capable to authenticate because the service account and entry all of the sources for which the service account has permissions. Happily, there’s one other approach to run Terraform code as a service that’s usually safer – service account impersonation.
Creating sources as a service account
To start creating sources as a service account you’ll want two issues. First, you’ll want a service account in your venture that you just’ll use to run the Terraform code. This service account might want to have the permissions to create the sources referenced in your code. Second, you’ll must have the Service Account Token Creator IAM function granted to your individual person account. This function lets you impersonate service accounts to entry APIs and sources. The IAM function will be granted on the venture’s IAM coverage, thereby supplying you with impersonation permissions on all service accounts within the venture. Nevertheless, in the event you’re adhering to the precept of least privilege, the function ought to be granted to you on the service account’s IAM coverage as an alternative.
Upon getting a service account and the Service Account Token Creator function, you may impersonate service accounts in Terraform in two methods: set an setting variable to the service account’s e-mail or add an additional supplier block in your Terraform code.
For the primary methodology, set the
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT setting variable to that service account’s e-mail. For instance: