Google cloud Platform Authentication Method with Terraform

Method 1 – User Application Default Credentials (“ADCs”)

Application Default Credentials (ADC) provide a method to get credentials used in calling Google APIs. The gcloud auth application-default command group allows you to manage active credentials on your machine that are used for local application development.
These credentials are only used by Google client libraries in your own application.

To use your own user credentials for your application to access an API, run: This will take you through a web flow to acquire new user credentials.


$ gcloud auth application-default login

Method 2 – Running Terraform on Google Cloud

If you are running Terraform in a machine on Google Cloud, you can configure that instance or cluster to use a Google Service Account. This allows Terraform to authenticate to Google Cloud without a separate credential/authentication file. Ensure that the scope of the VM/Cluster is set to or includes https://www.googleapis.com/auth/cloud-platform.

Method – 3 – Running Terraform Outside of Google Cloud – OIDC based federation

If you are running Terraform outside of Google Cloud, generate an external credential configuration file (example for OIDC based federation) or a service account key file and set the “GOOGLE_APPLICATION_CREDENTIALS” environment variable to the path of the JSON file. Terraform will use that file for authentication. Terraform supports the full range of authentication options documented for Google Cloud.

To create a service account and have your application use it for API access, run:


$ gcloud iam service-accounts create my-account
$ gcloud iam service-accounts keys create key.json --iam-account=my-account@my-project.iam.gserviceaccount.com
$ export GOOGLE_APPLICATION_CREDENTIALS=key.json
# Remove the newline characters from your JSON key file and then paste the credentials into the environment variable value field. You can use the tr command to strip newline characters. 
$ cat key.json | tr -s '\n' ' '

Useful COMMANDS


# Acquire new user credentials to use for Application Default Credentials.
gcloud auth application-default login

# Print an access token for your current Application Default Credentials.
$ gcloud auth print-access-token

# Revoke previously generated Application Default Credentials.
$ gcloud auth revoke

# Update or add a quota project in application default credentials (ADC).
$ gcloud auth set-quota-project

Rajesh Kumar
Follow me
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x