3.4 KiB
3.4 KiB
Managing on-prem service account keys by uploading public keys
When managing GCP Service Accounts with terraform, it's often a question on how to avoid Service Account Key in the terraform state?
This example shows how to manage IAM Service Account Keys by generating a key pair and uploading the public part of the key to GCP, it has the following benefits:
- no passing keys between users or systems
- no SA key stored in the terraform state (only public part of the key in the state)
- let keys expire automatically
Running the example
Clone this repository or open it in cloud shell, then go through the following steps to create resources:
Cleaning up example keys
rm -f /public-keys/data-uploader/
rm -f /public-keys/prisma-security/
Generate keys for service accounts
mkdir keys && cd keys
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
-keyout data_uploader_private_key.pem \
-out ../public-keys/data-uploader/public_key.pem \
-subj "/CN=unused"
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
-keyout prisma_security_private_key.pem \
-out ../public-keys/prisma-security/public_key.pem \
-subj "/CN=unused"
Deploy service accounts and keys
cd ..
terraform init
terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT
Extract JSON credentials templates from terraform output and put the private part of the keys into templates
terraform show -json | jq '.values.outputs."data-uploader-credentials".value."public_key.pem" | fromjson' > data-uploader.json
terraform show -json | jq '.values.outputs."prisma-security-credentials".value."public_key.pem" | fromjson' > prisma-security.json
contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json
Testing the example
Validate that service accounts json credentials are valid
gcloud auth activate-service-account --key-file prisma-security.json
gcloud auth activate-service-account --key-file data-uploader.json
Cleaning up
terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT
Variables
name | description | type | required | default |
---|---|---|---|---|
project_id | Project id. | string |
✓ | |
project_create | Create project instead of using an existing one. | bool |
false |
Outputs
name | description | sensitive |
---|---|---|
data-uploader-credentials | Data Uploader SA json key templates. | |
prisma-security-credentials | Prisma Security SA json key templates. |