-
Notifications
You must be signed in to change notification settings - Fork 77
Interaction with google_service_account_access_token #70
Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I'm actually running into a very similar situation, and being able to use the access token would be a very nice addition! |
Took a shot at this with this branch, but unfortunately I got stuck with the second impersonate using only an access token: https://github.com/DeviaVir/terraform-provider-gsuite/pull/new/access_token |
Working on it. ;-) |
@DeviaVir you in the golang slack channel? if so can you dm me @bit_wrangler? Wanna chat this stuff up a little to better understand why we are impersonating user emails at all. |
Until I have everything automated through CI/CD, I am trying to get my Terraform scripts to run generally as myself for auditing purposes. The GSuite admin, though, doesn't want to give me personally the power to impersonate the admin account for the scopes that this provider needs. What they are willing to do is use a service account to delegate to the admin user.
That means I need to manage the credentials for this service account, encrypt them, ... which I do have all working. But this results in decrypted credentials being stored somewhere (e.g. terraform state files from a data resource decrypted by
google_kms_secret
, some environment variable managed by something not terraform, ...). I'm trying to avoid the decrypted credential residing anywhere.I stumbled upon
google_service_account_access_token
which seems to have very similar capabilities of impersonation. It only offers anaccess_token
to use, while the gsuite provider only takescredentials
. Would it be possible (with an enhancement), or even make sense, to give the gsuite provider thisaccess_token
instead ofcredentials
?I'm thinking of some config looking like this:
Basically, this is doing a double impersonation. First my personal account impersonates the service account, and then the gsuite provider impersonates the admin user account.
This way no service account credential is ever referenced in state. There is an
access_token
that might end up in state somewhere, but it is short lived, so it isn't as bad.Or am I just going about this all the wrong way and there is a far simpler approach?
The text was updated successfully, but these errors were encountered: