0

enter image description hereAsking the community if it's possible to do the following. (had no luck in finding further information)

I create a ci/cd pipeline with Github/cloudbuild/Terraform. I have cloudbuild build terraform configuration upon github pull request and merge to new branch. However, I have cloudbuild service account (Default) use with least privilege. Question adheres, I would like terraform to pull permission from an existing service account with least privilege to prevent any exploits, etc. once cloudbuild gets pull build triggers to init terraform configuration. At this time, i.e terraform will extract existing external SA to obtain permission to build TF. I tried to use service account, and binding roles to that service account but error happens that states service account already existences. Next step, is for me to use a module but I think this is also going to create a new SA with replicated roles. If this is confusing I do apologize, I will help in refining the question to be more concise.

Improve this question
4
  • Not sure to clearly understand. Do you want to handle service account not created by Terraform? Do have example to illustrate your case? Commented Feb 15, 2020 at 8:56
  • Yes I do want to handle the authoritative service account for terraform build process to be import or export from GCP IAM project of which it is being provisioned by. Commented Feb 18, 2020 at 19:06
  • Just for clarifuing. 1) Where do you run your terraform? On Cloud Build? On VM? 2) I understood that you don't want to reuse Cloud Build SA. Why? Do you prefer to use a temporarily SA created only for Terraform? Commented Feb 18, 2020 at 19:51
  • Yes I execute TerraForm from the cloudbuild. I am seeing if it's possible to use a more less privilege service account in substitute of cloud build default service account. I think I could configure cloud build to use such account but I'm researching if possible at TerraForm level. @guillaume blaquiere Commented Feb 18, 2020 at 23:10

1 Answer 1

Reset to default
1

You have 2 solutions:

  1. Use the Cloud Build service account when you execute your Terraform. Your provider look like this:
provider "google" {
//  Useless with Cloud Build
//  credentials = file("${var.CREDENTIAL_FILE}}")
  project = var.PROJECT_ID
  region = "europe-west1"
}

But this solution implies to grant several roles to Cloud Build only for Terraform process. A custom role is a good choice for granting only what is required.

  1. The second solution is to use a service account key file. Here again 2 solutions:

    • Cloud Build creates the service account, grant all the role on it, generates a key and passes it to terraform. After the terraform execution, the service account is deleted by Cloud Build. Good solution, but you have to grant Cloud Build service account the capability to grant itself any roles and to generate a json Key file. That's a lot a responsibility!
    • Use an existing service account and the key generated on it. But you have to secure the key and to rotate it regularly. I recommend you to securely store it in secret manager, but for the rotation, you have to manage it by yourselves, today. With this process, Cloud Build download the key (in secret manager) and pass it to terraform. Here again, the Cloud Build service account has the right to access to secrets, that is a critical privilege. The step in Cloud Build is something like this:
steps:
        - name: gcr.io/cloud-builders/gcloud:latest
          entrypoint: "bash"
          args:
                  - "-c"
                  - |
                      gcloud beta secrets versions access --secret=test-secret latest > my-secret-file.txt
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

tested and it works the way I was seeking Thank you
Just food for thought, would it be possible to add a service-account to be used instead of user credentials? meaning in cloudbuild > gcloud config set account {name of service account} for cloud build to pull the custom roles and permissions to be used?
Do you want to use a custom service account for Cloud Build instead of using the default one?
Yes that is correct, I was looking at the gcloud --impersonate-service-account but I'll need to test more. I'm seeing if their's more ways than one to do this
Thank you for your rapid response over the week and expertise. Was very much appreciated during this process.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.