Static Credentials

Quick Start

Static credentials are the fastest way to get Terrateam working with GCP. You’ll create a GCP service account with programmatic access and store the credentials as GitHub secrets.

Setup Steps

1. Create a Service Account

   Create a dedicated service account for Terrateam in your GCP project:

   gcloud iam service-accounts create terrateam \
   --description="Terrateam service account" \
   --display-name="Terrateam" \
   --project="$PROJECT_ID"

   Set PROJECT_ID

   Make sure to set your PROJECT_ID environment variable:

   export PROJECT_ID="your-gcp-project-id"

2. Attach IAM Role

   Attach an IAM role to give Terrateam the necessary permissions. We suggest roles/editor as a starting point:

   gcloud projects add-iam-policy-binding "$PROJECT_ID" \
   --member="serviceAccount:terrateam@$PROJECT_ID.iam.gserviceaccount.com" \
   --role="roles/editor"

   Choose Your Role

   roles/editor is just a suggestion for getting started quickly. You should choose the role that best fits your security requirements:

   • roles/editor - Broad permissions, good for testing and development
   • Custom roles - More restrictive, recommended for production environments
   • Other predefined roles - Choose based on your specific needs

3. Create Service Account Key

   Generate a service account key file:

   gcloud iam service-accounts keys create terrateam-service-account-key.json \
   --iam-account="terrateam@$PROJECT_ID.iam.gserviceaccount.com"

   Save Your Key File

   The terrateam-service-account-key.json file contains sensitive credentials. Keep it secure and don’t commit it to version control.

4. Set GitHub Secret

   Add the GCP service account key as a secret to your GitHub repository:

   # Set your repository (replace with your actual org/repo)
   export REPO="your-org/your-repo"
   
   # Create the Google Credentials secret from the key file
   gh secret --repo "$REPO" set GOOGLE_CREDENTIALS < terrateam-service-account-key.json

   Clean Up

   After setting the GitHub secret, you can safely delete the local key file:

   rm terrateam-service-account-key.json

Security Considerations

Security Best Practices

While static credentials are the easiest way to get started, consider these security practices:

• Use least privilege: Only grant the minimum roles Terrateam needs
• Rotate keys regularly: Create new service account keys periodically and delete old ones
• Monitor usage: Use GCP’s Cloud Audit Logs to monitor Terrateam’s activities
• Consider OIDC for production: For production environments, OIDC setup provides better security

Next Steps

Now that you have GCP authentication configured, you are now able to use Terrateam for plan and apply operations against GCP resources.

• Read about Terrateam configuration to customize your workflows
• Learn about advanced workflows for more complex setups
• Consider migrating to OIDC authentication for enhanced security