



Storing long-lived service account keys in HCP Terraform poses a significant security risk. If these account keys were compromised, an attacker could gain access to her Google Cloud environment. Not only is key compromise a risk, but many organizations have policies that block the creation of such keys. Fortunately, you can often authenticate using a more secure alternative to service account keys. One such alternative is Workload Identity Federation. It uses identity and access management (IAM) to give external identities (such as HCP Terraform) the ability to impersonate service accounts.

HCP Terraforms' dynamic provider credentials allow Terraform executions to impersonate service accounts through native OpenID Connect (OIDC) integration and obtain short-lived OAuth 2.0 access tokens for each execution. This short-lived access token allows you to call Google Cloud APIs that your service account can access at runtime, making HCP Terraform more secure to run.

HashiCorp Terraform allows you to create a Google Cloud Workload Identity pool and provider that HCP Terraform uses to request federation tokens. This token is passed to the Google Terraform provider to impersonate the service account and obtain temporary credentials to plan or apply Terraform.

The diagram above shows the authentication sequence for accessing Google Cloud using dynamic provider credentials and Workload Identity federation.

The following is an example of configuring Workload Identity federation in Google Cloud. This approach assumes that you have an existing method for authenticating with your Google Cloud project. If not, you can create a temporary service account as described below.

Set up a Workload Identity pool and provider

First, create a temporary service account with a JSON key. Securely store this key within an HCP Terraform workspace variable to allow temporary access to your Google Cloud project. This less secure access method is used only for initial setup. After migrating to Workload Identity federation, remember to remove the temporary service account key using the steps below.

To configure the HCP Terraform pool and provider for Workload Identity federation, update the local google_project_id and organization_name values ​​in the locals{} block.

locals { google_project_id = “example-project” Organization_name = “example-org”} # Create a Workload Identity pool for HCP Terraformresource “google_iam_workload_identity_pool” “hcp_tf” { project = local.google_project_id workload_identity_pool_id = “hcp-tf-pool” display_name = ” HCP Terraform pool” description = “Used to authenticate to Google Cloud”} # Create a Workload Identity pool provider for HCP Terraform resource “google_iam_workload_identity_pool_provider” “hcp_tf” { project = local.google_project_id workload_identity_pool_id = google_iam_workload_identity_pool.hcp_tf. workload_identity_pool_id er_id = “hcp-tf -provider” display_name = “HCP Terraform Provider” description = “Used to authenticate to Google Cloud”attribute_condition = “assertion.terraform_organization_name==\”${local.organization_name}\””attribute_mapping = { “google.subject” = “assertion .sub” “attribute.terraform_workspace_id” = “assertion.terraform_workspace_id” “attribute.terraform_full_workspace” = “assertion.terraform_full_workspace” } oidc { issuer_uri = “https://app.terraform.io ” }}

Once the HCP Terraform pool and provider are created, create a service account for HCP Terraform to impersonate at runtime.

# Example of a service account that HCP Terraform impersonates resource “google_service_account” “example” { account_id = “example” display_name = “Service Account for HCP Terraform” project = local.google_project_id} # IAM validates the HCP Terraform workspace ID. and then allow impersonation access. “example” Service Account Resource “google_service_account_iam_member” “example_workload_identity_user” { service_account_id = google_service_account.example.name role = “roles/iam.workloadIdentityUser” member = “principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.hcp_tf.name} / attribute.terraform_workspace_id/ws-ZZZZZZZZZZZZZZZ”} # Grant “example” service account permission to create bucket resource “google_project_iam_member” “example_storage_admin” { member = “serviceAccount:${google_service_account.example.email}” role = ” roles/storage.admin ” project = local.google_project_id} Delegating access to another workspace

For improved security and scalability, consider using a separate HCP Terraform workspace to set up and configure Workload Identity federation. From this workspace, you can use HCP Terraform variable sets to share service accounts and identity federation configurations to securely delegate access to Google Cloud from one workspace to another.

Below is an example configuration to create a variable set and share it with another HCP Terraform workspace.

# Create a variable set to store the Workload Identity federation configuration for the “example” service account resource “tfe_variable_set” “example” { name = google_service_account.example.account_id description = “Workload Identity federation for ${google_service_account.example.name} Configuration” Organization = local.organization_name} # Share a variable set with another HCP Terraform Workspaceresource “tfe_workspace_variable_set” “example” { variable_set_id = tfe_variable_set.example.id workspace_id = “ws-XXXXXXXXXXXXXX”}

Create the following required environment variables and associate them with the variable set. HCP Terraform uses these to obtain short-lived OAuth 2.0 access tokens. You can use it to impersonate a service account at runtime and call Google Cloud APIs that the service account has access to.

resource “tfe_variable” “example_provider_auth” { key = “TFC_GCP_PROVIDER_AUTH” value = “true” category = “env” variable_set_id = tfe_variable_set.example.id} resource “tfe_variable” “example_service_account_email” {sensitive = true key = “TFC_GCP_RUN_SERVICE_ACCOUNT_EMAIL” value = Account .example.email category = “env” variable_set_id = tfe_variable_set.example.id} resource “tfe_variable” “example_provider_name” {sensitive = true key = “TFC_GCP_WORKLOAD_PROVIDER_NAME” value = google_iam_workload_identity_pool_provider.hcp_tf.name category = “env” variable_set_id = tfe_variable_ set. example .id}Using Workload Identity Federation

When using Workload Identity federation, you don't need to define anything within the provider itself. Sharing a set of variables, including your service account and identity federation configuration, with another HCP Terraform workspace allows you to automatically access Google Cloud within the shared workspace.

HCP Terraform accomplishes this by impersonating the service account at runtime using environment variables from the shared variable set. This approach allows you to safely extend access management within HCP Terraform by delegating access from one workspace to another while limiting Google Cloud access to exactly what the service account needs. Masu.

Using the service account you created earlier (assigned only to the Cloud Storage Administrator role), you can immediately create buckets in your shared workspace without configuring anything else.

resource “google_storage_bucket” “example” { name = “example” location = “EU” project = example-project}Workload Identity federation details

If you want to learn more about keyless Google Cloud access from HCP Terraform, check out the Dynamic Provider Credentials and Workload Identity Federation documentation. All code used in this post can be found in the keyless-auth-gcp-hcp-terraform repository on GitHub.

