Reputation: 189
I am using Terraform v0.13.5.1 and want to manage core infrastructure like creating Folder, IAM roles on Folder, Organization Policies, creating Projects, creating Service Accounts etc.
Question: We cannot create Service accounts at organization level or at folder level, so how to manage this infra with Service Account?
Thanks
Upvotes: 1
Views: 933
Reputation: 81454
Service Accounts are created for and owned by a Project. You can create a service account in any project and then use that service account in any project/folder/organization including ones that you do not own or manage. For example, I can add your service account to my project if I know the email address.
Once you have created a service account, you can add that service account to IAM at the Organization and Folder level assigning the appropriate roles such as Folder Admin, Organization Admin, Project Creator, etc. Try to use least privilege as these permissions are inherited at child levels: (Org->Folder(s)->Project(s)) or (Folder->Project(s)).
Once you have created the service account and assigned the correct roles, you can configure Terraform to use that service account either setting the environment variable GOOGLE_APPLICATION_CREDENTIALS
to point to the service account JSON file or by specifying google provider credentials
in your *.tf file.
Upvotes: 1
Reputation: 361
As you said, creating a service account at organisation level is not possible. So solution is, for the first time, create a project and create a service account under that project which can be used by Terraform from then.
You can do above operations through GCP console or gcloud command line. Or even you can do this initial run with Terraform with authenticating as a normal user instead of service account (ie run Terraform with your user, provided you have privileges to create project, service account and set org/folder level policies etc).
Its possible to give and organisation or folder level roles for a service account even if it's just part of a project. In order to have privileges to create Folder, Organisation policies, create service account etc, you can grant reqiured privileges to that service account by referring https://cloud.google.com/iam/docs/understanding-roles
For example
roles/resourcemanager.folderAdmin
roles/orgpolicy.policyAdmin
roles/resourcemanager.projectCreator
etc..Upvotes: 0