How to Create a Service Account for Terraform in GCP (Google Cloud Platform)
Before we start deploying our Terraform code for GCP (Google Cloud Platform), we will need to create and configure a Service Account in the Google Console.
In this example, we will create a master Service Account with permissions at Organization-level and Project-level.
- Organization-level permissions are required to create resources at the Organization level, for example, Folders and Projects.
- Project-level permissions are required to create resources at the project level, for example, Google Storage Accounts or VM instances.
Note: for demo purposes, we will create a Service Account with lots of permissions, feel free to add or remove permissions to adapt to your environment.
1. So, What is a Service Account?
A Service Account is a special kind of account used by an application (Terraform in this case) to make authorized API calls.
A Service Account is identified by its email address, which is unique to the account.
Two important differences between Service Accounts and User Accounts:
- Service Accounts don’t have passwords, and cannot log in via browsers.
- Service Accounts are associated with private/public RSA key-pairs that are used for authentication to Google.
We will need a Project to create our Service Account, if we have an existing Project, jump to point 5.
Also, we will require to have an Organization resource as a prerequisite to use Folders or other resources at the Organization-Level. If we don’t need resources at the Organization-level, we can skip point 3.
3. Creating an Organization (optional)
We open our console and just below the Hamburger icon on the top left, we will see our organization name. If we have an organization, jump to the next step.
If we don’t have an organization, and we see the No organization name, we will need one.