Running Terraform against Google Cloud in GitLab - Stack Overflow

admin管理员组

文章数量:1345132

I am trying to run terraform from a Gitlab pipeline job against my Google Cloud instance. I have authenticated Gitlab to Google Cloud with Federated Id and can impersonate a service account connected to my authenticated workload identity pool. This allows me to run gcloud cli commands without an issue.

However, when running terraform, it expects to use the Application Default Credentials or Google Application Credentials. I am impersonating a service account in a way that does not load it into these stored system credentials.

Is there a way to set the GOOGLE_APPLICATION_CREDENTIALS as the impersonated credentials?

I have tried to download the credential configuration file and load that into the system credentials, but it gives me an error. I do not know the expected value of the OIDC ID token path. error: oauth2/google: unable to generate access token: Post "/[MASKED]:generateAccessToken": oauth2/google/externalaccount: failed to open credential file "/tmp/oidc-token.txt"

Here is my .gitlab-ci.yml:

deploy:
  stage: deploy
  image: google/cloud-sdk:latest
  identity: google_cloud
  variables:
    # $GCLOUD_SERVICE_ACCOUNT defined in group
    # $GCLOUD_CREDENTIAL_CONFIGURATION defined in group
  script:
    # install terraform
    - apt update && apt install -y wget gpg lsb-base lsb-release
    - wget -O -  | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
    - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg]  $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
    - apt update && apt install terraform
    # impersonate gcloud service account
    - gcloud config set auth/impersonate_service_account $GCLOUD_SERVICE_ACCOUNT
    - gcloud storage ls gs://my-bucket # works fine
    # try to run terraform against google cloud
    - export GOOGLE_APPLICATION_CREDENTIALS=$GCLOUD_CREDENTIAL_CONFIGURATION # gives error shown above
    - terraform -chdir=infra init -input=false
    - terraform -chdir=infra plan -out=tfplan -input=false # permission failure due to wrong account

It's unclear to me if giving the necessary permissions directly to my federated identity principal would provide them at the application default level and allow terraform to function, but I would really prefer permissions be granted at the service account level because I feel like that's easier to manage long term.

I am trying to run terraform from a Gitlab pipeline job against my Google Cloud instance. I have authenticated Gitlab to Google Cloud with Federated Id and can impersonate a service account connected to my authenticated workload identity pool. This allows me to run gcloud cli commands without an issue.

However, when running terraform, it expects to use the Application Default Credentials or Google Application Credentials. I am impersonating a service account in a way that does not load it into these stored system credentials.

Is there a way to set the GOOGLE_APPLICATION_CREDENTIALS as the impersonated credentials?

I have tried to download the credential configuration file and load that into the system credentials, but it gives me an error. I do not know the expected value of the OIDC ID token path. error: oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis/v1/projects/-/serviceAccounts/[MASKED]:generateAccessToken": oauth2/google/externalaccount: failed to open credential file "/tmp/oidc-token.txt"

Here is my .gitlab-ci.yml:

deploy:
  stage: deploy
  image: google/cloud-sdk:latest
  identity: google_cloud
  variables:
    # $GCLOUD_SERVICE_ACCOUNT defined in group
    # $GCLOUD_CREDENTIAL_CONFIGURATION defined in group
  script:
    # install terraform
    - apt update && apt install -y wget gpg lsb-base lsb-release
    - wget -O - https://apt.releases.hashicorp/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
    - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
    - apt update && apt install terraform
    # impersonate gcloud service account
    - gcloud config set auth/impersonate_service_account $GCLOUD_SERVICE_ACCOUNT
    - gcloud storage ls gs://my-bucket # works fine
    # try to run terraform against google cloud
    - export GOOGLE_APPLICATION_CREDENTIALS=$GCLOUD_CREDENTIAL_CONFIGURATION # gives error shown above
    - terraform -chdir=infra init -input=false
    - terraform -chdir=infra plan -out=tfplan -input=false # permission failure due to wrong account

It's unclear to me if giving the necessary permissions directly to my federated identity principal would provide them at the application default level and allow terraform to function, but I would really prefer permissions be granted at the service account level because I feel like that's easier to manage long term.

• google-cloud-platform
• terraform
• gitlab
• gcloud
• terraform-provider-gcp

Share Improve this question Follow asked yesterday Galen HowlettGalen Howlett 72266 silver badges1515 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

It does indeed seem like adding the IAM roles directly to the federated id principalSet will give the permissions necessary to the application default credentials. This doesn't really answer the question and provide a way to use the service user account to run terraform but it works.

本文标签： Running Terraform against Google Cloud in GitLabStack Overflow