This post captures a couple of errors you might encounter getting started with terraform and GCP. ( Also read Protecting Service Account Keys in GCP )  and  Sentinel tfplan policies in GCP
Typical Steps to getting started
   Are you going to be performing actions on GCP using a Service account or using your human user credentials?
Say you took the latter approach and created a custom service account for use with your project (and granted the SA a Project Owner or Editor role) – and downloaded the JSON key.  You would think you are all set to execute Terraform against the project defined in the JSON key, since the service account is the ‘owner’ on the project.
You would be wrong.
You would encounter this error on your terraform init
Error: google: could not find default credentials.
See https://developers.google.com/accounts/docs/application-default-credentials
for more information.
  on  line 0:
  (source code not available)
The Quick Fix – Install Client Libraries for GCP APIs
  1. Client Libraries can be used to call GCP APIs
  2. All one needs is the Cloud SDK (see below) – which install client libraries locally on your desktop.

install Google Cloud SDK on your development desktop

  • On windows, just open up a powershell prompt and use this:
(New-Object Net.WebClient).DownloadFile("https://dl.google.com/dl/cloudsdk/channels/rapid/GoogleCloudSDKInstaller.exe", "$env:Temp\GoogleCloudSDKInstaller.exe")

& $env:Temp\GoogleCloudSDKInstaller.exe
  • Once installed, run the following gcloud commands
gcloud init  --> THis will prompt you to use an existing gmail account or a different one

gcloud auth application-default login

This command will generate an ADC (Application Default Credentials) JSON file based on your user (IAM user) account and store it in a location where the SDK can find it automatically.

You should also receive a ‘security alert’ email from google  – Google Auth Library was granted access to your Google Account myuser@gmail.com

What if you need to switch your human (gmail) or service account identities ? Or to do this from another PC?

You need the command below to re-prompt a login ( This will allow you to switch gmail identites ).

gcloud auth application-default login

Another possible error – Callers must accept terms of service…

When you try to create a new project (gcloud create project myproject),

gcloud projects create myprojectname

you may encounter this error. This is true if the gSuite account is one which HASN’T created any projects in the past.

The Quick Fix  for Callers must accept terms of service..

Log into the console with the same gSuite account and create a project by selecting ‘select a project’ (and ‘Create a Project’).

This will prompt the terms of service agreement and you may carry on after agreeing to the terms of service.

That’s it. Those are two of the more common errors that GCP and Terraform users encounter when getting started.
Where does my human user (IAM user) enter into this picture?

If you are using Cloud Shell, you are logged in as your IAM user. The IAM (Human) User is what logs on to GCP (via cloud shell).

Happy Terraforming!

Appendix A – Some Roles your Human or Service Account identity may need on GCP for successfully creating Terraform Resources

    1. iam.serviceAccounts.actAs permission for your  project – e.g. ‘projects/my-awesome-project’
    2. If you plan to use the default compute engine SA, you would need to be granted the role – serviceAccountUser for that SA. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
    3. If you will be creating your own SAs and assigning roles to them,
      1. resourcemanager.projects.getIamPolicy  on the my-awesome-project
      2. resourcemanager.projects.setIamPolicy  on the same project
      3. iam.roles.list  – on the same project.