Decrypt gcp credentials in terraform?

Question

I have a google cloud/terraform project wherein I'm using terraform to send files to a google cloud storage bucket. I have a json file of the service account credentials, that I've encrypted using cloud kms e.g.

gcloud kms encrypt \
    --key key \
    --keyring key-ring \
    --location location  \
    --plaintext-file file-with-data-to-encrypt \
    --ciphertext-file file-to-store-encrypted-data \
    | base64

However I want to use these encrypted crednetials in a terraform project e.g.

provider "google" {

  credentials = file( "ENCRYPTED-CREDS")

  project = var.project
  region  = "europe-west2"
}

My question is - how do I decrypt these credentials in terraform and/or use the encrypted credentials?

Answer 1

Your question is a dead loop!

• Terraform needs a credential to access GCP
• You encrypt the credential with KMS
• Your encrypted credential need access to GCP to decrypt it
• You put the encrypted credential to Terraform
• Terraform needs a credential to access GCP and decrypt the secret with KMS
• ....

So, at a moment, you need to have your credential in plain text. Typically, when you run Terraform, the credential need to be decrypted. So, the credential need to be encrypted out of GCP.

Now, I don't know your runtime environment? Is it on GCP? Elsewhere? Previously I used GitLab CI and I put the secret in a Gitlab secret variables.

Answer 2

Terraform includes a google_kms_secret data source to use the encrypted data with Cloud KMS within your resource definitions.

There is an example usage within the docs that you can use to base the steps to follow.

Basically you need to create a keyRing and a criptoKey resource.

Encrypt the json file using the gcloud command you mention and finally reference reference the encrypted ciphertext in your resource definitions.

The following section of the docs can also proof useful.