How do I pass GCP Service Account key.json contents into Terraform Cloud without committing it in VCS?

Question

According to the Google Provider documentation, the service account key should be supplied to Terraform using the environment variable GOOGLE_CLOUD_KEYFILE_JSON. When using Terraform Cloud, this is an issue for me as it means storing the service account key in the repository and using the environment variable to set the path to the key file.

I would like to pass the service account key contents to the provider using either a Terraform variable or an environment variable but I haven't been able to locate the documentation for this. How do I go about this?

Where are you running Terraform? If on a GCP GCE VM, you can use ADC (Application Default Credentials) that are loading the GCP VM Default Service Account. https://www.terraform.io/docs/providers/google/guides/provider_reference.html Look for `If you're running Terraform from a GCE instance, default credentials are automatically available. ` in the link. If you are not running on a GCE VM, then you will need to manually specify the JSON file or JSON contents. Same link applies. — John Hanley, Dec 21 '19 at 23:35
@JohnHanley Running in terraform cloud. The options mentioned imply I have to commit Service Account key or ADC into VCS and I don't want to do that. — Shawlz, Dec 22 '19 at 03:43

James Woolfenden · Accepted Answer · 2019-12-22T10:51:22.230

11

It's been a while since it set it up, but you can set the whole content of the file to be an environment variable GOOGLE_CLOUD_KEYFILE_JSON and it works. Make sure you set it as sensitive. You have to take all the new lines out of the file to make it work.

edited Dec 22 '19 at 10:51

answered Dec 22 '19 at 10:44

James Woolfenden

6,498
33
53

Oleg Butuzov · Answer 2 · 2019-12-22T10:02:52.433

1

var.ACCOUNT_JSON is path to account json file, which you can leave outside git repository.

variable "ACCOUNT_JSON" {}
variable "PROJECT_ID" {}


provider "google" {
  credentials = file(var.ACCOUNT_JSON)
  project     = var.PROJECT_ID
}

You can perform export TF_VAR_ACCOUNT_JSON=../accoutn.json, in this case this command wouldn't be stored in history, and ACCOUTN_JSON will be available for you to be used in terraform.

edited Dec 22 '19 at 10:02

answered Dec 22 '19 at 09:57

Oleg Butuzov

4,795
2
24
33

3

Terraform Cloud doesn’t support this except account.json is in VCS which is what I want to avoid. – Shawlz Dec 22 '19 at 10:38
thanks, i haven't worked with terraform cloud before, and thought it's a same thing! – Oleg Butuzov Dec 22 '19 at 12:26

How do I pass GCP Service Account key.json contents into Terraform Cloud without committing it in VCS?

2 Answers2

Linked