Reputation: 189
Managing core infrastructure with terraform using service account in Google Cloud
I am using Terraform v0.13.5.1 and want to manage core infrastructure like creating Folder, IAM roles on Folder, Organization Policies, creating Projects, creating Service Accounts etc.
Question: We cannot create Service accounts at organization level or at folder level, so how to manage this infra with Service Account?
Thanks
Upvotes: 1
Views: 934
Answers (2)
Reputation: 81454
Service Accounts are created for and owned by a Project. You can create a service account in any project and then use that service account in any project/folder/organization including ones that you do not own or manage. For example, I can add your service account to my project if I know the email address.
Once you have created a service account, you can add that service account to IAM at the Organization and Folder level assigning the appropriate roles such as Folder Admin, Organization Admin, Project Creator, etc. Try to use least privilege as these permissions are inherited at child levels: (Org->Folder(s)->Project(s)) or (Folder->Project(s)).
Once you have created the service account and assigned the correct roles, you can configure Terraform to use that service account either setting the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to the service account JSON file or by specifying google provider credentials in your *.tf file.
Upvotes: 1
Reputation: 361
As you said, creating a service account at organisation level is not possible. So solution is, for the first time, create a project and create a service account under that project which can be used by Terraform from then.
You can do above operations through GCP console or gcloud command line. Or even you can do this initial run with Terraform with authenticating as a normal user instead of service account (ie run Terraform with your user, provided you have privileges to create project, service account and set org/folder level policies etc).
Its possible to give and organisation or folder level roles for a service account even if it's just part of a project. In order to have privileges to create Folder, Organisation policies, create service account etc, you can grant reqiured privileges to that service account by referring https://cloud.google.com/iam/docs/understanding-roles
For example
- For creating Folder and managing IAM policies -
roles/resourcemanager.folderAdmin - For Organisation policies -
roles/orgpolicy.policyAdmin - For creating projects -
roles/resourcemanager.projectCreatoretc..
Upvotes: 0
Related Questions
- Google Cloud credentials with Terraform
- Create GCP service account and store service account key in secret manager in terraform
- GCP "omnipotent" Service Account to create multiple services through Terraform
- Add existing Service account to terraform Google compute instance
- Using Terraform to create a service account with IAM roles
- How To Grant GCP Organization Level Permissions to Service Account via Command Line
- How to use Terraform `google_app_engine_domain_mapping` with service account?
- How to properly create gcp service-account with roles in terraform
- adding existing GCP service account to Terraform root module for cloudbuild to build Terraform configuration
- terraform GCE service account stanza