search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.34k stars 1.74k forks source link

Using Multiple Service Accounts and Credentials #7920

Closed atos-ghassen-bchir closed 3 years ago

atos-ghassen-bchir commented 3 years ago

Hi everyone !

In my team, we have been using Terraform with the Google provider for a while now.

As of today, we have one service account that has several (often admin) roles on our GCP project (to be able to do the tasks we ask it to do). As we are trying to improve our security best practices compliance, we are splitting that service account into several smaller ones (as recommended here https://cloud.google.com/iam/docs/using-iam-securely: least privilege principal).

However, we are facing a limitation on the Terraform Google provider side: it seems that, when using the "google" provider, we can only provide one service account (json key) in the [provider "google" / "credentials"] field. This service account seems to be used for all subsequent requests made to the Google API.

Is there a way to provide separate service accounts for separate resources management ? If not, does anyone know a workaround to do this (in a clean-ish way) ?

Thanks for your help !

edwardmedia commented 3 years ago

@terradict the service account you were talking about is for Terraform runner. If you intend to use Terraform to manage GCP resources, you must give this account certain roles, at least to cover these resources.

You can create Terraform runners as many as you want, and give each one limited roles. But you might want to consider setting up roles (usergroups) for users and deciding who can access the runner accounts. Below is an example you might reference

https://codelabs.developers.google.com/codelabs/anthos-service-mesh-workshop?hl=en&continue=https%3A%2F%2Fcodelabs.developers.google.com%2F#5

edwardmedia commented 3 years ago

@terradict Is this still a question?

atos-ghassen-bchir commented 3 years ago

Thanks for the answer @edwardmedia !

Indeed, I am realizing that in our case, there no point in splitting the roles between several SAs, given that all the steps are executed at the same step. So I am closing this issue.

Thanks again !

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error πŸ€– πŸ™‰ , please reach out to my human friends πŸ‘‰ hashibot-feedback@hashicorp.com. Thanks!