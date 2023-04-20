



Terraform is an open source infrastructure as code tool and is widely used to manage Google cloud resources. Resources can be defined as human-readable configuration files that can be versioned, reused, and shared, making IAC flexible, portable, and easy to collaborate with. Developer. Once you start using terraform to manage resources with roles such as owners, developers assigned editors can focus more on maintaining the syntax and structure of Terraform configuration files. The higher the assigned permissions, the less likely you’ll run into IAM permissions issues.

This blog post outlines different ways to impersonate a Google cloud service account using terraform. With service account impersonation, the administrator does not need to generate service account keys, but permissions are maintained through her IAM with the Service Account Token Creator role. As such, administrators do not need to implement the service account key management process, key rotation, creation, and deletion. This improves resource security by allowing user accounts to be granted permissions to specific service accounts using the principle of least privilege. Improved access management and access security because user credentials are not used to grant Google Cloud Service Authorization.

Terraform code should run under the principle of least privilege to accommodate security best practices when using IAM. Instead of restricting user access privileges per Terraform code, he can use a service account to run his Terraform code. A service account is a special kind of Google account that various resources such as virtual machines use to access APIs and services. Applications can use non-human user service accounts to authenticate and authorize access to data in Google APIs.

Service account authentication can be done by generating service account keys, but this approach allows you to rotate and maintain keys regularly, add API key restrictions, and reduce the impact of compromised keys. should be avoided. This is a security drawback of this approach. A user with the key can authenticate with the service account.

Another way to achieve this is to use service account impersonation. This eliminates the need for the user to access the service account’s keys and requires her IAM permissions to authorize use of the service account. This reduces the permissions required for the user her account. When a user no longer needs access to a service account, simply remove her ID for that user from the service account he resource in Google Cloud IAM.

Permissions required to impersonate a service account

Below are the permissions required for a user account to impersonate a service account.

Service Account User (roles/iam.serviceAccountUser): This role allows the principal to access resources that the service account can access. However, this role denies principals from creating short-lived credentials for service accounts or from using the impersonate-service-account flag to the Google Cloud CLI.

Service Account Token Creator (roles/iam.serviceAccountTokenCreator): This role allows principals to create credentials (OAuth 2.0 access tokens, OpenID Connect (OIDC) ID tokens, signed JSON Web Tokens (JWT), and binary blobs) for services You can impersonate your account.

How to impersonate a service account to run Terraform code

The first way to impersonate a service account is to set the GOOGLE_IMPERSONATE_SERVICE_ACCOUNT environment variable to the service account’s email.

For example:

export [email protected]@iam.gserviceaccount.com This will impersonate the service account and use the service account credentials after running the Terraform code. Limitations of the approach of setting environment variables every time you restart the terminal and using a single account for complete Terraform code.

