What is OIDC
OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in GCP, without having to store any credentials as long-lived GitHub secrets.
GCP
To use Terrateam with GCP, authentication and authorization need to be configured for your GCP account. Setup only takes a few minutes.
OpenID Connect (OIDC)
A Terraform module is available to easily create all of the GCP resources that Terrateam requires.
-
main.tfmodule "terraform_gcp_terrateam_setup" {source = "github.com/terrateamio/terraform-gcp-terrateam-setup"github_org = "GITHUB_ORG"project_id = "PROJECT_ID"service_account_description = "Terrateam service account"workload_identity_pool_id = "terrateam-pool"workload_identity_provider = "terrateam-provider"service_account_name = "terrateam"service_account_role = "roles/editor"}output "google_iam_workload_identity_pool_provider_github_provider_name" {value = module.terraform_gcp_terrateam_setup} -
Apply Changes
terraform apply
Configure Terrateam for OIDC
Create the .terrateam/config.yml configuration file at the root of your Terraform repository.
hooks: all: pre: - type: oidc provider: gcp service_account: "terrateam@PROJECT_ID.iam.gserviceaccount.com" workload_identity_provider: "WORKLOAD_IDENTITY_PROVIDER"Manual Instructions
Follow the instructions below to manually configure GCP for Terrateam authentication and authorization.
Expand for step-by-step OIDC and static credentials instructions
- Create a Terrateam service account
Terminal window gcloud iam service-accounts create terrateam \--description="Terrateam" \--display-name="Terrateam" \--project="$PROJECT_ID" - Create the workload identity pool
Terminal window gcloud iam workload-identity-pools create "terrateam-pool" \--project="${PROJECT_ID}" \--location="global" \--display-name="Terrateam pool" - Create the OIDC provider
Terminal window gcloud iam workload-identity-pools providers create-oidc "terrateam-provider" \--project="${PROJECT_ID}" \--location="global" \--workload-identity-pool="terrateam-pool" \--display-name="Terrateam provider" \--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \--issuer-uri="https://token.actions.githubusercontent.com" - Create IAM policy bindings
Terminal window gcloud iam service-accounts add-iam-policy-binding "terrateam@${PROJECT_ID}.iam.gserviceaccount.com" \--project="${PROJECT_ID}" \--role="roles/iam.workloadIdentityUser" \--member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/terrateam-pool/attribute.repository_owner/${GITHUB_ORG}"Terminal window gcloud projects add-iam-policy-binding ${PROJECT_ID} \--member="serviceAccount:terrateam@${PROJECT_ID}.iam.gserviceaccount.com" \--role='roles/editor' - Configure Terrateam for OIDC
- Create a
terrateamservice accountTerminal window gcloud iam service-accounts create terrateam \--description="Terrateam" \--display-name="Terrateam" \--project="$PROJECT_ID" - Add the
roles/editorIAM policy bindingTerminal window gcloud projects add-iam-policy-binding "$PROJECT_ID" \--member="serviceAccount:terrateam@$PROJECT_ID.iam.gserviceaccount.com" \--role="roles/editor" - Create and download the service account key
Terminal window gcloud iam service-accounts keys create terrateam-service-account-key.json \--iam-account="terrateam@$PROJECT_ID.iam.gserviceaccount.com" - Export your Terraform
organization/repocombination as an environment variable.Terminal window export REPO="<OWNER/REPO>" - Create the GCP Service Account Key GitHub Secret
Terminal window gh secret --repo "$REPO" set GOOGLE_CREDENTIALS < terrateam-service-account-key.json
You are now able to use Terrateam for plan and apply operations against GCP resources.