I am having a problem with GCP and terraform.
The problem:
Through a terraform project I want to create a service account, create a key for it and share that key to someone that has to do something with it.
For example, the service account has the objectCreator role on a bucket and whoever has the service account key should be able to write on that bucket.
The problem is:
I can create the service account, the key, etc.. but I cannot find a way to write the keys in a JSON file as the well-known command does:
gcloud iam service-accounts keys create KEY_FILE \
--iam-account=SA_NAME#PROJECT_ID.iam.gserviceaccount.com
Can anyone help me with this problem?
thanks in advance.
I figured it out by printing it to a file as suggested.
resource "local_file" "myaccountjson" {
content = base64decode(google_service_account_key.sa-name.private_key)
filename = "${var.path}buckets-external-access-identity-sa.json"
}
Related
I have a impersonated a Service Account in gcloud through the command gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL].
Now, all my API calls are impersonating the Service Account., is there a way to download the Service Account JSON at this point?
Because I do not have the original Service Account JSON that was created earlier and also as an User I do not have permissions to Manage Keys for this Service Account.
Please let me know, if I can download the Service Account JSON from gcloud by impersonating the Service Account.
Thanks in advance!
I do not have permissions to Manage Keys for this Service Account
Without those permissions, you cannot create or download service account JSON keys. If the service account has those permissions, which it should not for security reasons, then yes.
The following command will create a new JSON key and download it:
gcloud iam service-accounts keys create my-service-account.json --iam-account <EMAIL ADDRESS>
I'll like to import my existing IAM settings (Users, Groups, Policies, etc..) to a new AWS account, which I've created.
I've tried to use the GetAccountAuthorizationDetails API with aws iam get-account-authorization-details > export_IAM.json command.
Now, IDK how to export this .json file to my new account.
I'll appreciate it if someone could tell me what the best way to do that, please is.
Created a service user to manage terraform under the project and gave it roles/owner. Created the key for this terraform user.
Terraform code is simple:
resource "google_pubsub_topic" "my_topic" {
name = "my_topic"
project = "${var.project_id}"
}
just creating a pub-sub topic.
terraform plan works but terraform apply gives me:
google_pubsub_topic.my_topic: googleapi: Error 403: User not authorized to perform this action., forbidden
I have even tried giving the service account roles/pubsub.admin not sure I understand what's going on because my service account has the owner role associated with it yet it can't create a pubsub topic.
Can anybody help me figure this out please?
Thanks in advance.
Edit (to expand on my comment about what worked):
I had created the service account using gcloud.
gcloud iam service-accounts create terraform \
--display-name "Terraform admin account"
gcloud projects add-iam-policy-binding myproject-182220 \
--member serviceAccount:terraform#myproject-182220.iam.gserviceaccount.com \
--role roles/owner
gcloud iam service-accounts keys create terraform-admin.json \
--iam-account terraform#myproject-182220.iam.gserviceaccount.com
To continue my debugging, I created a new service account using the console / GUI --> API & Services --> Credentials --> Create Credentials --> Service Account Key --> New Service Account (With the owner role). With this new service key json file, I was able to run my terraform code without a problem.
Now my confusion is, why did this work but not when I used gcloud to create a service account and give it the same role?
You have to enable the pub/sub api via google cloud or it might be possible using terraform.
The sample usage configuration for the Google provider looks more like:
// Configure the Google Cloud provider
provider "google" {
credentials = "${file("account.json")}"
project = "my-gce-project"
region = "us-central1"
}
// Create a new instance
resource "google_compute_instance" "default" {
# ...
}
This can be read in more detail on the "Google Cloud Provider" documentation page from Terraform.
I'm new to programming. I need to figure out how I can create AWS users, roles and policies programmatically using code.
That task I'm after :
Create a User, Role and Policy
Assign Policy to the Role
Assign Role to the User
Set condition on the Role, that only Users with MFA can assume that Role
Config's should live in S3 bucket
configure a LAMBDA to check the user's role membership and output the result to S3 bucket.
Just trying to figure out where do I start from ? I have a very limited programming experience (can do a bit of PHP).
I have a AWS account, created a user and gave him 'AdministratorAccess' also have user keys for CLI access.
Should I be suing 1)AWS CLI 2) Powershell 3) AWS SDK's 4) AWS API?
Appreciate any help/direction to achieve the above.
Thanks
S
To programmatically create IAM Roles you can use AWS PHP SDK. Refer the IAM Create User section in SDK API reference for more details.
Aside from using specific language AWS SDKs such as suggested by #Ashan, you can do so by using AWS REST API with the following example request:
https://iam.amazonaws.com/?Action=CreateUser
&Path=/division_abc/subdivision_xyz/
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Source - CreateUser
I have an AWS Educate Account but I'm unable to get the Access Key ID and Secret Access Key for the account. It mentions that I do not have IAM access when I try to follow the AWS guide on getting these, does that mean that there's no way for me to get it using the educate account?
1) Go to Vocareum. This is kinda the main page of your student AWS account.
2) Find the blue button Account Details, click it - profit!
From vocareum main page > Account details > AWS CLI > Show
Copy and paste the CLI details into '~/.aws/credentials' for mac and 'C:/users/%UserProfile%/.aws/credentials' for windows.
[default]
region=us-east-1
aws_access_key_id=*****
aws_secret_access_key=*******
aws_session_token=***********************
'region' is not present in AWS CLI details from Vocareum. So please don't forget to add it. You can specify any region.
If you want to verify your details add 'output = json' along with the above details in your credentials file and run the command 'aws sts get-caller-identity'.
It will display your Account ID, User ID and ARN.
To check if your CLI is working, you can try to connect to S3 bucket using
aws s3 ls
I think it's better to create a personal account and use the free tier. This is a better way for education pupose.
AWS Educate account has limited access, you can't create users with keys, the root user can't create buckets from scripts, etc.
Go to https://labs.vocareum.com/ and there you will find Account details . just click on it .
there you will see AWS CLI . Here you will see your aws_access_key_id , aws_secret_access_key and aws_session_token . Go to C:/users/Dell/.aws/credentials then copy and paste the line of AWS CLI to the credentials file
All done !! you will now can be able to access your SQS , S3 Bucket without Create an user in IAM . in student account , it can't be accessed to create an IAM User.