0
0
Terraformcloud~10 mins

Least privilege for Terraform service accounts - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Least privilege for Terraform service accounts
Create Service Account
Assign Minimal Roles
Use Service Account in Terraform
Terraform Executes with Limited Permissions
Verify No Excess Permissions
Adjust Roles if Needed
End
This flow shows creating a service account, giving it only the permissions it needs, using it in Terraform, and verifying it cannot do more than necessary.
Execution Sample
Terraform
resource "google_service_account" "tf_sa" {
  account_id   = "terraform-sa"
  display_name = "Terraform Service Account"
}

resource "google_project_iam_member" "tf_sa_storage" {
  project = var.project_id
  role    = "roles/storage.objectViewer"
  member  = "serviceAccount:${google_service_account.tf_sa.email}"
}
This Terraform code creates a service account and assigns it the minimal role to view storage objects.
Process Table
StepActionResource AffectedPermissions AssignedResult
1Create service accountgoogle_service_account.tf_saNone initiallyService account created with ID terraform-sa
2Assign IAM rolegoogle_project_iam_member.tf_sa_storageroles/storage.objectViewerService account can view storage objects only
3Use service account in TerraformTerraform executionLimited to assigned rolesTerraform can read storage objects but cannot modify or delete
4Attempt unauthorized actionTerraform executionNo extra permissionsAction denied due to lack of permissions
5Verify permissionsIAM policyOnly assigned roles presentLeast privilege enforced
6Adjust roles if neededIAM policyAdd or remove rolesPermissions updated to minimum required
7End--Terraform runs with least privilege service account
💡 Terraform service account has only the minimal permissions assigned, enforcing least privilege.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 6Final
service_accountNoneCreated with ID terraform-saExists with roles/storage.objectViewerRoles adjusted if neededExists with minimal required roles
permissionsNoneNoneroles/storage.objectViewerUpdated if neededMinimal permissions enforced
Key Moments - 3 Insights
Why do we assign only specific roles instead of full admin rights?
Assigning only specific roles limits what Terraform can do, preventing accidental or malicious changes. See execution_table step 2 and 4 where only storage.objectViewer is assigned and unauthorized actions are denied.
What happens if Terraform tries to perform an action not allowed by the service account?
Terraform will get an error and the action will be denied, as shown in execution_table step 4. This protects resources from unintended changes.
How do we update permissions if Terraform needs more access later?
We adjust the IAM roles assigned to the service account, as shown in execution_table step 6, adding only the minimum extra permissions needed.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what permission is assigned to the service account at step 2?
Aroles/editor
Broles/storage.objectViewer
Croles/owner
DNo permissions assigned
💡 Hint
Check the 'Permissions Assigned' column in execution_table row for step 2.
At which step does Terraform get denied when trying an unauthorized action?
AStep 3
BStep 5
CStep 4
DStep 6
💡 Hint
Look for the step mentioning 'Action denied' in the 'Result' column.
If we add roles/editor to the service account, which step would reflect this change?
AStep 6
BStep 2
CStep 4
DStep 7
💡 Hint
Check the step about adjusting roles in the execution_table.
Concept Snapshot
Least privilege means giving Terraform service accounts only the permissions they need.
Create a service account.
Assign minimal IAM roles (e.g., storage.objectViewer).
Use this account in Terraform runs.
Verify unauthorized actions are denied.
Adjust roles only when necessary.
Full Transcript
This lesson shows how to apply least privilege to Terraform service accounts. First, create a service account. Then assign it only the minimal roles it needs, such as storage.objectViewer. Use this account in Terraform executions. If Terraform tries to do something outside its permissions, it will be denied. You can adjust the roles later if Terraform needs more access. This approach protects your cloud resources by limiting what Terraform can do.