1

I have multiple GCP accounts for multiple clients and I handle their infrastructure using Terraform.

To change between different projects/GCP accounts, I use the gcloud config configurations activate <configuration name> command, which works great for using the CLI manually.

However, when using Terraform, you must use an application-default account, saved to ~/.config/gcloud/application_default_credentials.json and NOT attached to a configuration.

So when I switch configurations, I also have to log in to the associated application-default account manually, which is quite cumbersome.

My current solution is to log in first, then manually save the .json credentials to an explicit path ~/.config/gcloud/<configuration name>/application_default_credentials.json, I have the GOOGLE_APPLICATION_CREDENTIALS set to this path in my Terraform commands in a Makefile.

Not ideal, but it allows me to just switch configurations using the CLI and not have to use the web login flow again to set the ADC.

Is there a better way to do this? Can I attach the ADC creds to a configuration and have gcloud manage it for me?

Improve this question
6
  • It's incorrect to say that "when using Terraform, you must use application-default account, saved to ...". Although this statement is reflected in Terraform's documentation, the truth is that you can use ADC and one way to use ADC is to use ADC configured to use your user credentials using gcloud auth application-default login. See Application Default Credentials. Commented Aug 18, 2024 at 18:01
  • There are other ways to provide credentials to ADC including using attached Service Accounts when running on Google's compute services (e.g. Compute Engine) and using Workload Identity Fedetation which may be worth pursuing. Commented Aug 18, 2024 at 18:03
  • An alternative is to use suitably permitted Service Accounts for each of your tenants. Once gcloud auth activate-service-account (the key can then be deleted), the Service Account appears in gcloud auth list and will be set gcloud config get account and should be part of the gcloud configuration. I'm not going to recommend this solution though and provide it for completeness. You would need to determine whether a compromised Service Account is less|more powerful than a compromised user account (which is what happens if someone steals application-default-credentials.json). Commented Aug 18, 2024 at 18:07
  • Persoanlly, I dislike gcloud configurations because they change your host's global gcloud state (you switch to an existing shell thinking you're using one set of credentials and realize you're not when you accidentally delete the world). Switching configurations and user account ADCs isn't onerous. You could consider extending gcloud (it's Python) to encompass both steps in one. I think you'd be better scripting a solution that is more explicit in its behavior, changes only the current (!) context and changes the terminal background to uniquely identify the tenant. Commented Aug 18, 2024 at 18:10
  • 1
    I have no solution except local and dirty hack. But I'm happy to see that other are annoyed with this f.... limitation! Commented Aug 19, 2024 at 7:49
Related questions
25
gcloud auth activate-service-account logout / revoke / remove / unset
30
How to properly create gcp service-account with roles in terraform
12
How can I manage multiple Application Default Credentials (ADC)?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.