0

I have downloaded the GCP service account key to my local system. In Terraform, I have set the GOOGLE_APPLICATION_CREDENTIALS as a path to this file in the startup-script part of my bastion instance. Below is a snippet:

variable "credentials"{

default="C:/GCP/service-account-key.json"

}

. . . . . .


metadata= {

startup-script=<<SCRIPT

export GOOGLE_APPLICATION_CREDENTIALS="${file("${var.credentials}")}"

SCRIPT

}

Later I have written a #!/bin/bash script to store this credentials to another file as below:

#!/bin/bash

printf "$GOOGLE_APPLICATION_CREDENTIALS" > /home/ubuntu/credentials

But when I open the above credentials file, the file is truncated as below and the entire key is missing:

{

  type: service_account,

  project_id: acn-devopsgcp,

  private_key_id: xxxxx,

  private_key: -----BEGIN

Can please someone let me know why the service account key is not getting exported properly to the file or if there is anything that needs to be corrected.

Meghana B Srinath
  • 105
  • 2
  • 9

2 Answers2

0

If this bastion instance is a Google Cloud Compute Engine (GCE) instance, you do not need to pass JSON keys to the VM.

You should use the service account which the GCE instance runs as - any tool which uses the GCP API/SDK (e.g. gsutil or gcloud) will use this service account by default if no credentials are provided using environment variables.

Each GCP project is provisioned with a "default compute" service account, or you can create one specifically for the instance in question with Terraform and grant permissions as necessary via IAM.

Specifically answering your question, however, your key is not being deployed due to nested double quotes. Your JSON key contains double quotes, which if not escaped will terminate the quote starting the string.

If you have to use the JSON key file, I would deploy it to the VM as a file, then read the file in the startup script:

#!/bin/bash

cat <<EOF > /etc/gce_credentials.json
${file("${var.credentials}")}
EOF

export GOOGLE_APPLICATION_CREDENTIALS=$(cat /etc/gce_credentials.json)
Craig Watson
  • 9,370
  • 3
  • 30
  • 46
  • Yes, the bastion is a GCE instance and I have attached the service account to this instance already(I dont want to use the default account which GCP provides). So I agree that GCP will use this service account for validation. But, I basically want to create a secret file using this credentials for implementing velero for backup and recovery in my cluster(velero/heptio-ark requires the GCP service account key file to be provided). Hence I still need the credentials exported for my scenario, eventhough bastion will work without passing the key file to it. Thanks – Meghana B Srinath Oct 03 '19 at 08:05
0

You must configure the variable GOOGLE_APPLICATION_CREDENTIALS

https://cloud.google.com/docs/authentication/

You can download the JSON file from the Service Account.

In IAM & admin > Service Accounts section, click on the 3 dots of the Service Account you want to use and select "Create key" > JSON > Create

This will generate/download the JSON file.

Toni
  • 144
  • 5