My terraform gcp provider config looks like
provider "google" {
project = var.project
region = var.region
credentials = file("account.json")
}
I want to run my terraform file on terraform cloud and I don't want want to put the account.json file in source control. How can I store the json GCP service account file in terraform cloud and then access it from the terraform script?
You can supply the credentials as an Multi-Line value called google_credentials in the Terraform Cloud UI and mark it as a Sensitive Value and enter something like this with the correct values for your account (likely just a copy paste of your account.json file you have already):
{
"type": "service_account",
"project_id": "project-id",
"private_key_id": "key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
"client_email": "service-account-email",
"client_id": "client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}
You can then provide the credentials from the workspace variable to your google provider in your Terraform module as follows as a single variable which will be interpreted as JSON:
provider "google" {
project = var.project
region = var.region
credentials = var.google_credentials
}
variable "google_credentials" {
description = "the contents of a service account key file in JSON format."
type = string
}
credentials - (Optional) Either the path to or the contents of a service account key file in JSON format. You can manage key files using the Cloud Console.
From Google Provider Configuration Reference.
A better answer would be to remove the newline in the service account key file by running
tr -d '\n' < current_service_key.json > no_new_line_key.json
Paste the content of "no_new_line_key.json" to the variable section of Terraform Cloud and use any of the variable names such as GOOGLE_CREDENTIALS or GOOGLE_CLOUD_KEYFILE_JSON documented here:(https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference). I used GOOGLE_CREDENTIALS
Screenshot of the configuration
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With