Hi all,
I am trying to setup two google gcloud providers within a single terraform setup. Each provider needs to authenticate as a different google account.
The only way i can see I can specify specific accounts in the google terraform provider is through the credentials parameter. That only seems to accept a service account key json file. I am running terraform from my local pc (with the state in a gcs bucket) and need others to be able do the same.
I don’t want to have to either:
- Create a single static key file for a service account and distribute that to multiple people since that is 1: unsafe, and 2: there is no way to revoke access to the google cloud for a single user
- Create a separate service account for each individual user. This just seems silly since they already have google accounts anyway.
I really think I am missing something here because Google has a host of authentication patterns, but it looks like none of them are supported by the terraform provider besides specifying static service account keys? That seems the worst security practice to me and I can’t imagine that being the default.
I tried the following options:
- creating a service account and giving individual users permission to impersonate that service account and use
gcloud auth application-default login --impersonate-service-account mysa@porject.iam.gserviceaccount.comto generate ADC credentials to specify in the credentials parameter - Directly using
gcloud auth application-default loginand specifying that file in the credentials parameter.
But all of them seem to result in terraform validate saying Error: JSON credentials are not valid.
Is there any other option I am missing to have a multi-user setup with terraform without requiring sharing static keys for a service accout?