Using service account impersonation for terraform invoking kubectl-wrapper module

Question

Using service account impersonation for terraform invoking kubectl-wrapper module

Closed this issue 4 years ago · 1 comments

Related to terraform-google-modules/terraform-google-kubernetes-engine#874

I have a use-case where I'm using shared Terraform Cloud Agents, and my TF Cloud workspace is isolated by using service account impersonation, i.e.: the GSA that terraform agent runs terraform by default does not have GKE Admin IAM. Problem is since this module uses the kubectl-wrapper module like this, which uses this gcloud command here, it uses the agent terraform IAM instead of the impersonating ones, hence not being able to create GKE. Is there any potential workarounds/idea for such setup?

Answer 1 · 2021-04-22T20:29:03.000Z

I think this would have worked fine with dd04160#diff-6e733b6090a409f0e5babd452a6936826fd8e75d5fefbea560f11c3a5c1718e2, but it broke with 6501fd8.

@bharathkkb any suggestions how to possibly still do this? 🙏