šŸ¶
Terraform

Managing Google Cloud Credentials with Terraform

By Ondřej DolanskĆ½ on 01/07/2025

Learn how to securely manage and deploy Google Cloud credentials in your Terraform infrastructure for seamless automation and enhanced security.

Managing Google Cloud Credentials with Terraform

Table of Contents

Introduction

When using Terraform to manage your Google Cloud resources, secure authentication is crucial. This article outlines the recommended methods to authenticate Terraform to Google Cloud, enabling you to interact with your GCP resources seamlessly. We'll explore two primary approaches: using Application Default Credentials (ADC) for local development and leveraging Service Accounts for automated scenarios like CI/CD pipelines.

Step-by-Step Guide

The recommended way to authenticate Terraform to Google Cloud is using Application Default Credentials (ADC).

  1. Install Google Cloud SDK (gcloud).
  2. Authenticate using User Application Default Credentials: 
    gcloud auth application-default login
    This will allow Terraform to use your local credentials to authenticate with GCP.

Using Service Accounts (for automation and CI/CD):

  1. Create a Google Cloud Service Account and grant it necessary permissions.
  2. Download the Service Account Key file (JSON format).
  3. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your Service Account Key file: 
    export GOOGLE_APPLICATION_CREDENTIALS="/path/to/your/keyfile.json"

Alternatively, you can provide the credentials directly in your Terraform code:

provider "google" {
  credentials = file("/path/to/your/keyfile.json")
  project     = "your-project-id"
  region      = "your-region"
  zone        = "your-zone"
}

Note: Storing credentials directly in code is generally discouraged for security reasons. It's best to use environment variables or secure secret management solutions.

Code Example

This code provides two examples of authenticating Terraform to Google Cloud. The first example uses Application Default Credentials (ADC) to deploy a Google Cloud Storage bucket. It guides you through installing Google Cloud SDK, authenticating using ADC, and creating a Terraform configuration file to deploy the bucket. The second example uses a Service Account Key file and an environment variable to deploy a Google Compute Engine instance. It explains how to create a Service Account, download its key file, set the GOOGLE_APPLICATION_CREDENTIALS environment variable, and create a Terraform configuration file to deploy the instance. Both examples include instructions on running Terraform to apply the configurations.

This example demonstrates how to use ADC to deploy a simple Google Cloud Storage bucket.

1. Install Google Cloud SDK and authenticate:

# Install Google Cloud SDK (if not already installed)
# https://cloud.google.com/sdk/docs/install

# Authenticate using User Application Default Credentials
gcloud auth application-default login

2. Create a Terraform configuration file (main.tf):

terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "~> 4.0"
    }
  }
}

resource "google_storage_bucket" "example" {
  name          = "my-tf-bucket-adc"
  location      = "US"
  force_destroy = false
}

3. Run Terraform:

terraform init
terraform apply

Example using Service Account Key file and environment variable

This example demonstrates how to use a Service Account Key file with an environment variable to deploy a Google Compute Engine instance.

1. Create a Service Account and download its key file:

  • Follow the instructions in the Google Cloud Console to create a Service Account.
  • Grant the Service Account necessary permissions (e.g., Compute Engine Admin).
  • Download the Service Account Key file in JSON format.

2. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable:

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/your/keyfile.json"

3. Create a Terraform configuration file (main.tf):

terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "~> 4.0"
    }
  }
}

resource "google_compute_instance" "default" {
  name         = "terraform-instance"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    network = "default"
  }
}

4. Run Terraform:

terraform init
terraform apply

Note: Remember to replace placeholders like /path/to/your/keyfile.json, your-project-id, your-region, and your-zone with your actual values.

This code demonstrates both recommended methods for authenticating Terraform to Google Cloud. Choose the method that best suits your needs and security requirements.

Additional Notes

Security Best Practices:

  • Principle of Least Privilege: Grant Service Accounts only the permissions they need for their specific tasks. Avoid using overly permissive roles.
  • Secret Management:
    • Never store Service Account Key files directly in your code repository.
    • Use secure secret management solutions like HashiCorp Vault, Google Cloud Secret Manager, or environment variables in CI/CD environments.
  • Key Rotation: Regularly rotate Service Account Keys to minimize the impact of compromised credentials.

Other Authentication Methods:

  • Workload Identity Federation: Suitable for authenticating from non-Google environments like AWS or on-premises, allowing you to use existing identity providers.
  • Google Cloud CLI (gcloud) in CI/CD: You can authenticate to gcloud within your CI/CD pipeline and then use gcloud commands to interact with GCP, indirectly authenticating Terraform.

Troubleshooting:

  • Permissions Errors: Double-check that your Service Account has the necessary permissions to perform the actions defined in your Terraform code.
  • Credential Parsing Issues: Ensure that your Service Account Key file is in valid JSON format and that the GOOGLE_APPLICATION_CREDENTIALS environment variable is set correctly.
  • ADC Issues: If using ADC, make sure you are logged in to the correct Google Cloud account using gcloud auth application-default login.

Additional Considerations:

  • Terraform Cloud/Enterprise: These platforms offer integrated workflows for managing Google Cloud credentials securely.
  • Terraform Google Provider Documentation: Always refer to the official Terraform Google Provider documentation for the most up-to-date information on authentication and best practices: https://registry.terraform.io/providers/hashicorp/google/latest/docs

Summary

Method Description Use Case Security Considerations
Application Default Credentials (ADC) Uses your local Google Cloud SDK credentials. Local development and testing. Convenient but less secure for automation.
Service Accounts Leverages a dedicated Google Cloud Service Account with specific permissions. Automation, CI/CD pipelines. More secure for automation, especially when combined with environment variables or secret management solutions.

Steps for ADC:

  1. Install Google Cloud SDK (gcloud).
  2. Run gcloud auth application-default login.

Steps for Service Accounts:

  1. Create a Service Account in Google Cloud Console.
  2. Grant necessary permissions to the Service Account.
  3. Download the Service Account Key file (JSON).
  4. Recommended: Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the key file path.
  5. Alternative (less secure): Provide the key file path directly in the credentials argument of your Terraform Google provider configuration.

Important: Avoid storing credentials directly in code. Prioritize environment variables or dedicated secret management solutions for enhanced security.

Conclusion

In conclusion, authenticating Terraform to Google Cloud securely is paramount for managing your infrastructure effectively. Whether you choose Application Default Credentials for local development or leverage Service Accounts for automated workflows, understanding the nuances of each approach is essential. By adhering to security best practices such as the principle of least privilege, secret management, and key rotation, you can ensure the integrity and confidentiality of your Google Cloud resources. Remember to consult the official Terraform Google Provider documentation for the latest updates and best practices. By mastering these authentication methods, you can confidently harness the power of Terraform to streamline your Google Cloud infrastructure deployments and management.

References

Authenticate to GCP Set up Google Cloud Service Account D...

Were You Able to Follow the Instructions?

šŸ˜Love it!
šŸ˜ŠYes
šŸ˜Meh-gical
šŸ˜žNo
šŸ¤®Clickbait

Related posts

AccessDenied: Fix CopyObject Errors in [Platform]

Learn how to troubleshoot and resolve the frustrating "AccessDenied" error when using the CopyObject function in your cloud storage applications.

Terraform Provider Variables: A Complete Guide

Discover if using provider variables is possible in Terraform and explore alternative solutions for managing provider configurations effectively.

Create Azure AD App Registrations and Roles with Bicep

Learn how to automate Microsoft Entra app registration and role creation using Bicep or ARM templates for streamlined identity and access management in Azure.