To see your current Role Assignments (for a  human user on a given project)

  • Go to the PROJECT LEVEL. Once a project is selected, type IAM and Admin in the search menu.
  • From the IAM and Admin Menu, the first tab left menu(IAM) --> shows members and ROLES that Are currently in USE
  • If you look further down on the left menu, there is a ROLES option - this shows ALL AVAILABLE roles that can be applied to the resources in this project.

Terraform and App default credentials

Normally, you would create a custom service account, download it's JSON key and store it in a file (e.g. account.json) on your local workstation. This means, you are telling Terraform to use the Service Account to log on to GCP and perform various action. However, if you comment that line out, Terraform will try and authenticate using default credentials.

These so called ADCs (App Default Credentials) were created when you first set up gCloud SDK on your workstation.

Note that these are typically a 'human user' (added via gSuite or Cloud Identity).  When we comment out the credentials line from our TF code, it will default to looking for the ADCs on your workstation.

provider "google" 
{   //credentials = file("account.json")   
       project     = "my-awesome-f5"   
       region      = "us-central1"   
       zone        = "us-central1-c" 
}
  • If you comment out the account.json (which contains the Service Account credentials), Terraform will use your application default credentials.
  • To make sure things work identically, you need to provide the same CUSTOM ROLE to the Custom Service Account that you provide to the human user
  • Create a Service Account --> Assign the Custom Role that you have created for your terraform use
  • Also, in the list of human users (users allowed to use this account), pick your human users. Same for SA Admins (who can manage this custom SA)

How do you tell what was changed on your GCP resources (what users were granted access etc?)

Logs Viewer will filter based on RESOURCES.

  • These can be either NAMED resources (existing resource e.g. a role) OR categories of resources (e.g. VM)
  • A Role is a resource as is a PROJECT. A VM is a category resource.
  • So, you can filter for all events on a project, or all Role assignments for a particular role or all VM specific events.

Summary

This post shows you how to differentiate between using ADCs for your terraform development and using Service Accounts in GCP. Human Users are managed outside of GCP (gsuite etc.); Service accounts are part of IAM  and are managed from GCP Console --> IAM and Admin.

This post also shows you how to quickly look for resource changes (Log Viewer --> Filter on resource)