d.s
d.s

Reputation: 189

Managing core infrastructure with terraform using service account in Google Cloud

I am using Terraform v0.13.5.1 and want to manage core infrastructure like creating Folder, IAM roles on Folder, Organization Policies, creating Projects, creating Service Accounts etc.

Question: We cannot create Service accounts at organization level or at folder level, so how to manage this infra with Service Account?

Thanks

Upvotes: 1

Views: 933

Answers (2)

John Hanley
John Hanley

Reputation: 81454

Service Accounts are created for and owned by a Project. You can create a service account in any project and then use that service account in any project/folder/organization including ones that you do not own or manage. For example, I can add your service account to my project if I know the email address.

Once you have created a service account, you can add that service account to IAM at the Organization and Folder level assigning the appropriate roles such as Folder Admin, Organization Admin, Project Creator, etc. Try to use least privilege as these permissions are inherited at child levels: (Org->Folder(s)->Project(s)) or (Folder->Project(s)).

Once you have created the service account and assigned the correct roles, you can configure Terraform to use that service account either setting the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to the service account JSON file or by specifying google provider credentials in your *.tf file.

Upvotes: 1

Syam Sankar
Syam Sankar

Reputation: 361

As you said, creating a service account at organisation level is not possible. So solution is, for the first time, create a project and create a service account under that project which can be used by Terraform from then.

You can do above operations through GCP console or gcloud command line. Or even you can do this initial run with Terraform with authenticating as a normal user instead of service account (ie run Terraform with your user, provided you have privileges to create project, service account and set org/folder level policies etc).

Its possible to give and organisation or folder level roles for a service account even if it's just part of a project. In order to have privileges to create Folder, Organisation policies, create service account etc, you can grant reqiured privileges to that service account by referring https://cloud.google.com/iam/docs/understanding-roles

For example

  • For creating Folder and managing IAM policies - roles/resourcemanager.folderAdmin
  • For Organisation policies - roles/orgpolicy.policyAdmin
  • For creating projects - roles/resourcemanager.projectCreator etc..

Upvotes: 0

Related Questions