Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to store GCP Service Account JSON in a terrafrom variable?

Tags:

terraform

terraform-provider-gcp

terraform-cloud

My terraform gcp provider config looks like

provider "google" {
  project     = var.project
  region      = var.region
  credentials = file("account.json")
}

I want to run my terraform file on terraform cloud and I don't want want to put the account.json file in source control. How can I store the json GCP service account file in terraform cloud and then access it from the terraform script?

like image 772
ams Avatar asked Mar 02 '23 08:03

ams

2 Answers

You can supply the credentials as an Multi-Line value called google_credentials in the Terraform Cloud UI and mark it as a Sensitive Value and enter something like this with the correct values for your account (likely just a copy paste of your account.json file you have already):

{
  "type": "service_account",
  "project_id": "project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
  "client_email": "service-account-email",
  "client_id": "client-id",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}

You can then provide the credentials from the workspace variable to your google provider in your Terraform module as follows as a single variable which will be interpreted as JSON:

provider "google" {
  project     = var.project
  region      = var.region
  credentials = var.google_credentials
}

variable "google_credentials" {
  description = "the contents of a service account key file in JSON format."
  type = string
}

credentials - (Optional) Either the path to or the contents of a service account key file in JSON format. You can manage key files using the Cloud Console.

From Google Provider Configuration Reference.

like image 107
Alain O'Dea Avatar answered Mar 31 '23 22:03

Alain O'Dea

A better answer would be to remove the newline in the service account key file by running

tr -d '\n' < current_service_key.json > no_new_line_key.json

Paste the content of "no_new_line_key.json" to the variable section of Terraform Cloud and use any of the variable names such as GOOGLE_CREDENTIALS or GOOGLE_CLOUD_KEYFILE_JSON documented here:(https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference). I used GOOGLE_CREDENTIALS

Screenshot of the configuration

like image 32
Thien Phan Avatar answered Mar 31 '23 21:03

Thien Phan
Sign in to Comment

Related questions

AWS: Using a KMS-encrypted master password to create a RDS instance
Terraform - resource repeated multiple times
Terraform aws_lb_ssl_negotiation_policy using AWS Predefined SSL Security Policies
How to get an instance id / arn of an existing ec2 instance via terraform?
How to fetch the Public IP of the newly launched machine using Terraform
Create custom domain for app services via terraform
Terraform: What is the uri-parameter for an aws_api_gateway_integration if target is an aws_sfn_state_machine
Terraform Cognito User Pool gets recreated on every apply
Getting unsupported attribute error in terraform when using for_each expression
How to fetch a value from list of maps in terraform 0.12 based on condition
Mixing Terraform and Serverless Framework
Want to assign multiple Google cloud IAM roles against a service account via terraform
How to attach existing EC2 instances to auto scaling group in terraform?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!