Dev/Terraform

create config (only once) #show state before gcloud config configurations list gcloud config configurations create "MY_PROFILE" export CLOUDSDK_ACTIVE_CONFIG_NAME="MY_PROFILE" gcloud config set core/project "MY_GCP_PROJECT" gcloud config set core/account "MY_EMAIL" #show state after gcloud config configurations list use config (every terminal session) # choose project export CLOUDSDK_ACTIVE_CONFIG_NAME="MY_PROFILE" # login (valid for about an hour) export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud auth print-access-token)"

grant permission to a group / user resource "google_service_account_iam_member" "allow_us_to_impersonate" { service_account_id = google_service_account.service_account.id role = "roles/iam.serviceAccountTokenCreator" member = "group:GOOGLE_GROUP_EMAIL" } run terraform as a service account # run as service account export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT="SERVICE_ACCOUNT_EMAIL" # stop running as service account export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=""

How to login: don’t use a downloaded credential file https://jryancanty.medium.com/stop-downloading-google-cloud-service-account-keys-1811d44a97d9 instead export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud auth print-access-token)" or SERVICE_ACCOUNT="your-service-account-email" export GOOGLE_OAUTH_ACCESS_TOKEN="$(gcloud --impersonate-service-account="${SERVICE_ACCOUNT}" auth print-access-token)" followed by your terraform commands or have a look at my automated setup https://github.com/TjenWellens/docker-alias Also related to terraform: my terraform gcp setup template: https://github.com/TjenWellens/template-tf-gcp-init