History

averbukh 52878c1564 Reorder variables		2021-12-15 11:13:18 +01:00
..
public-keys	SA key uploading and credentials json generation with terraform.	2021-12-06 17:02:56 +01:00
README.md	Refactoring	2021-12-15 11:07:22 +01:00
backend.tf.sample	SA key uploading and credentials json generation with terraform.	2021-12-06 17:02:56 +01:00
cloud-shell-readme.txt	Refactoring	2021-12-15 11:07:22 +01:00
main.tf	Refactoring	2021-12-15 11:07:22 +01:00
outputs.tf	Refactoring	2021-12-15 11:07:22 +01:00
variables.tf	Reorder variables	2021-12-15 11:13:18 +01:00
versions.tf	SA key uploading and credentials json generation with terraform.	2021-12-06 17:02:56 +01:00

README.md

Managing on-prem service account keys by uploading public keys

When managing GCP Service Accounts with terraform, it's often a question on how to avoid Service Account Key in the terraform state?

This example shows how to manage IAM Service Account Keys by generating a key pair and uploading the public part of the key to GCP, it has the following benefits:

no passing keys between users or systems
no SA key stored in the terraform state (only public part of the key in the state)
let keys expire automatically

Running the example

Clone this repository or open it in cloud shell, then go through the following steps to create resources:

Cleaning up example keys

rm -f /public-keys/data-uploader/
rm -f /public-keys/prisma-security/

Generate keys for service accounts

mkdir keys && cd keys
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
    -keyout data_uploader_private_key.pem \
    -out ../public-keys/data-uploader/public_key.pem \
    -subj "/CN=unused"
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
    -keyout prisma_security_private_key.pem \
    -out ../public-keys/prisma-security/public_key.pem \
    -subj "/CN=unused"

Deploy service accounts and keys

cd ..
terraform init
terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT

Extract JSON credentials templates from terraform output and put the private part of the keys into templates

terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json
terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json

contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json

Testing the example

Validate that service accounts json credentials are valid

gcloud auth activate-service-account --key-file prisma-security.json
gcloud auth activate-service-account --key-file data-uploader.json

Cleaning up

terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT

Variables

name	description	type	required	default
project_id	Project id.	`string`	✓
project_create	Create project instead of using an existing one.	`bool`		`false`
service_accounts	List of service accounts.	`list(object({...}))`		`...`
services	Service APIs to enable.	`list(string)`		`[]`

Outputs

name	description	sensitive
sa-credentials	SA json key templates.