ref(ops/buildkite): use service account impersonation for GCP

Instead of using a key for the terraform service account, use
delegation. This simplifies a bit the setup:
- no need to have a local key
- principle of least privilege
- no need to setup some environment variables

Update the documentation in case something goes wrong in the future.

Change-Id: I430bdf6816419da35ae8a36cec55ce56491b985c
Reviewed-on: https://cl.fcuny.net/c/world/+/710
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>

1 files changed, 3 insertions, 1 deletions

diff --git a/ops/buildkite/README.org b/ops/buildkite/README.org
index f3a09ef..c28acbd 100644
--- a/ops/buildkite/README.org
+++ b/ops/buildkite/README.org
@@ -2,4 +2,6 @@ This is to configure the pipelines in buildkite.
 
 To upload them, run =nix run .#ops.buildkite.upload=.
 
-The state is stored in a GCS bucket. The GCS bucket needs to be created before this can be run. The credentials are expected to be stored in =pass= under =gcloud/terraform/fcuny-homelab=.
+The state is stored in a GCS bucket (and it needs to be created before we run this).
+
+The service account =terraform= needs to exist first, running =gcloud iam service-accounts list= will list them and we can verify it is defined. I might need to run =gcloud auth application-default login= in order to authenticate first.