GCP Authentication

To deploy infrastructure on Google Cloud Platform (GCP) using Terraform, you must authenticate Terraform to your GCP project. This guide covers real-life scenarios for local development, CI/CD pipelines, and multi-project setups, with best practices for security and automation.

1. Local Development: gcloud CLI & Application Default Credentials

The recommended way to authenticate locally is to use the Google Cloud SDK (gcloud).

gcloud auth application-default login

This command creates an Application Default Credentials (ADC) file at ~/.config/gcloud/application_default_credentials.json.

Provider block example:

provider "google" {
  project = var.gcp_project
  region  = var.gcp_region
}

Terraform will automatically use ADC if no credentials are specified.

Best Practice: Use named configurations for multiple projects:

gcloud config configurations create dev
# Set project, region, etc.
gcloud config set project my-dev-project
gcloud config set compute/region us-central1
gcloud config configurations activate dev

2. Service Account Key File (for CI/CD and Automation)

For automation (GitHub Actions, GitLab CI, Azure Pipelines), use a GCP Service Account with the required IAM roles. Download its JSON key and store it securely (never commit to code).

Set the environment variable:

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"

Provider block example:

provider "google" {
  credentials = file(var.gcp_credentials_file)
  project     = var.gcp_project
  region      = var.gcp_region
}

GitHub Actions Example:

jobs:
  terraform:
    runs-on: ubuntu-latest
    env:
      GOOGLE_APPLICATION_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }}
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - name: Write GCP credentials
        run: echo "$GOOGLE_APPLICATION_CREDENTIALS" > /tmp/account.json
      - run: export GOOGLE_APPLICATION_CREDENTIALS=/tmp/account.json && terraform init
      - run: export GOOGLE_APPLICATION_CREDENTIALS=/tmp/account.json && terraform apply -auto-approve

GitLab CI Example:

variables:
  GOOGLE_APPLICATION_CREDENTIALS: /tmp/account.json

before_script:
  - echo "$GCP_CREDENTIALS" > /tmp/account.json

stages:
  - apply

apply:
  stage: apply
  image: hashicorp/terraform:1.7.5
  script:
    - terraform init
    - terraform apply -auto-approve

3. Workload Identity Federation (OIDC for CI/CD)

Configure a Workload Identity Pool and Provider in GCP.
Grant the pool access to the required GCP resources.
Use OIDC tokens from GitHub Actions, GitLab, or Azure DevOps to authenticate.

GitHub Actions Example:

jobs:
  terraform:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
          service_account: 'terraform-ci@my-project.iam.gserviceaccount.com'
      - uses: hashicorp/setup-terraform@v3
      - run: terraform init
      - run: terraform apply -auto-approve

4. NixOS: Declarative GCP Credentials

Add credentials as environment variables in your NixOS configuration:

# configuration.nix
{
  environment.variables = {
    GOOGLE_APPLICATION_CREDENTIALS = "/etc/nixos/gcp-service-account.json";
  };
}

Best Practices

Use Workload Identity Federation (OIDC) for CI/CD pipelines (no static keys)
Store service account keys in secret managers (never in code)
Grant least privilege IAM roles to service accounts
Rotate and audit service account keys regularly
Use named gcloud configurations for multi-project workflows
Never use user credentials in automation

References

Tip: For secure, auditable, and cloud-native deployments, prefer OIDC-based authentication for CI/CD and never commit service account keys to your repository.

- [Authenticating Terraform with GCP](pages/terraform/gcp/gpc_auth_terraform.md)

PreviousGCP Scenarios NextTesting and Validation

Last updated 19 days ago

GCP Authentication

1. Local Development: gcloud CLI & Application Default Credentials

The recommended way to authenticate locally is to use the Google Cloud SDK (gcloud).

gcloud auth application-default login

This command creates an Application Default Credentials (ADC) file at ~/.config/gcloud/application_default_credentials.json.

Provider block example:

provider "google" {
  project = var.gcp_project
  region  = var.gcp_region
}

Terraform will automatically use ADC if no credentials are specified.

Best Practice: Use named configurations for multiple projects:

gcloud config configurations create dev
# Set project, region, etc.
gcloud config set project my-dev-project
gcloud config set compute/region us-central1
gcloud config configurations activate dev

2. Service Account Key File (for CI/CD and Automation)

For automation (GitHub Actions, GitLab CI, Azure Pipelines), use a GCP Service Account with the required IAM roles. Download its JSON key and store it securely (never commit to code).

Set the environment variable:

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"

Provider block example:

provider "google" {
  credentials = file(var.gcp_credentials_file)
  project     = var.gcp_project
  region      = var.gcp_region
}

GitHub Actions Example:

jobs:
  terraform:
    runs-on: ubuntu-latest
    env:
      GOOGLE_APPLICATION_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }}
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - name: Write GCP credentials
        run: echo "$GOOGLE_APPLICATION_CREDENTIALS" > /tmp/account.json
      - run: export GOOGLE_APPLICATION_CREDENTIALS=/tmp/account.json && terraform init
      - run: export GOOGLE_APPLICATION_CREDENTIALS=/tmp/account.json && terraform apply -auto-approve

GitLab CI Example:

variables:
  GOOGLE_APPLICATION_CREDENTIALS: /tmp/account.json

before_script:
  - echo "$GCP_CREDENTIALS" > /tmp/account.json

stages:
  - apply

apply:
  stage: apply
  image: hashicorp/terraform:1.7.5
  script:
    - terraform init
    - terraform apply -auto-approve

3. Workload Identity Federation (OIDC for CI/CD)

For passwordless, keyless authentication in CI/CD, use . This is the most secure and recommended approach for production pipelines.

Configure a Workload Identity Pool and Provider in GCP.
Grant the pool access to the required GCP resources.
Use OIDC tokens from GitHub Actions, GitLab, or Azure DevOps to authenticate.

GitHub Actions Example:

jobs:
  terraform:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
          service_account: 'terraform-ci@my-project.iam.gserviceaccount.com'
      - uses: hashicorp/setup-terraform@v3
      - run: terraform init
      - run: terraform apply -auto-approve

4. NixOS: Declarative GCP Credentials

Add credentials as environment variables in your NixOS configuration:

# configuration.nix
{
  environment.variables = {
    GOOGLE_APPLICATION_CREDENTIALS = "/etc/nixos/gcp-service-account.json";
  };
}

Or use for encrypted secrets.

Best Practices

Use Workload Identity Federation (OIDC) for CI/CD pipelines (no static keys)
Store service account keys in secret managers (never in code)
Grant least privilege IAM roles to service accounts
Rotate and audit service account keys regularly
Use named gcloud configurations for multi-project workflows
Never use user credentials in automation

References

Tip: For secure, auditable, and cloud-native deployments, prefer OIDC-based authentication for CI/CD and never commit service account keys to your repository.

- [Authenticating Terraform with GCP](pages/terraform/gcp/gpc_auth_terraform.md)

PreviousGCP Scenarios NextTesting and Validation

Last updated 19 days ago