Skip to main content

GCP Static Credentials

Follow these steps to authenticate against GCP

1. Create a new GCP Service Account Key

A service account is used to creat your cloud resources.

Create Service Account

1. Navigate to Service Accounts in the GCP console

2. Select an existing project or the one you created in the previous step

3. Click CREATE SERVICE ACCOUNT

4. Service account name: terrateam

5. Click CREATE AND CONTINUE

6. Grant this service account access to project Select a role

Choose Project Editor

Project Editor is a predefined GCP IAM role.

Permissions for this role include view, create, update, and delete for most Google Cloud resources.

This role is merely a suggestion. Choose whichever role makes the most sense for your organization.

7. Click DONE

Download Service Account Key

1. Navigate to Service Accounts in the GCP console

2. Select your newly created service account

3. Click KEYS

4. Click ADD KEY Create new key

Key type: JSON

5. Click CREATE and save the key to your computer

2. Configure GCP credential environment variables

Credentials are securely stored in GitHub Secrets and exposed as obfuscated environment variables in the Terrateam GitHub Action.

The GCP credential environment variable is typically named:

  • GOOGLE_CREDENTIALS
Details
  1. Navigate to the main page of your Terraform repository on GitHub
  2. Click ⚙️ Settings
  3. In the left sidebar, click Secrets Actions
  4. Click New repository secret
  • Name: GOOGLE_CREDENTIALS
  • Value: <File content from your downloaded service account key>

3. GCP Provider Configuration

The google provider automatically detects and uses the GOOGLE_CREDENTIALS environment variable defined in the Terrateam GitHub Action runtime environment.

Example

The following is an example configuration that can be used with your newly created GOOGLE_CREDENTIALS GitHub secret.

terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "3.5.0"
}
}
}

provider "google" {
project = "<PROJECT_ID>"
region = "us-central1"
zone = "us-central1-c"
}