Bare minimum set of permissions for terraform on GCP

1
votes

What is the bare minimum set of permissions terraform needs to manage GCP project?

Some resources suggest simply assigning terraform's service account with "Compute Admin" role, but perhaps there is a more specific list of permissions that terraform really needs.

2
google-cloud-platformterraform
What do you mean by managing a GCP project? The necessary permissions depend on which GCP resources you aim to manage with GCP; Compute Admin suffices for setting up GCE instances but won't grant you access to GCS buckets, for example. - Aleksi
@Aleksi, sure, absolutely, the full set of permissions will depend on the types of resources. As a minimum, I would like to know what are the basic set that any use case would need. Ideally I would like to know which type of resource needs what set of permissions. So far I have to establish this experimentally, and it takes too much time. - 0x416e746f6e

2 Answers

3
votes

Permission to view "Admin Project" and manage Cloud Storage. Any other actions that Terraform would perform will require that the API for the service(s) be enabled. The Terraform service account would also require organization and folder permissions. Please refer to the following tutorial for guidance

[Managing GCP projects with Terraform][1] https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform

0
votes

Agree with @Aleski, need to be more specific in what you mean by "manage GCP project" because if that terraform service account will only be interacting with GCE and GKE api, then you will need to give it "Compute Admin", "Container Admin" roles.

Here take a look at the following link to learn more about primitive roles and predefined roles.