From aff01ebd0ecb546d248823b6de21aabc19a0ac19 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Mon, 8 Aug 2022 17:51:49 -0700
Subject: ref(ops/buildkite): use service account impersonation for GCP

Instead of using a key for the terraform service account, use
delegation. This simplifies a bit the setup:
- no need to have a local key
- principle of least privilege
- no need to setup some environment variables

Update the documentation in case something goes wrong in the future.

Change-Id: I430bdf6816419da35ae8a36cec55ce56491b985c
Reviewed-on: https://cl.fcuny.net/c/world/+/710
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>
---
 ops/buildkite/default.nix | 2 --
 1 file changed, 2 deletions(-)

(limited to 'ops/buildkite/default.nix')

diff --git a/ops/buildkite/default.nix b/ops/buildkite/default.nix
index 7daf7c2..8e7c05c 100644
--- a/ops/buildkite/default.nix
+++ b/ops/buildkite/default.nix
@@ -13,10 +13,8 @@ pkgs.stdenv.mkDerivation rec {
     set -ueo pipefail
 
     cd $(git rev-parse --show-toplevel)/ops/buildkite
-    pass gcloud/terraform/fcuny-homelab > /dev/shm/tf-fcuny-homelab
 
     export BUILDKITE_API_TOKEN=$(pass api/buildkite-terraform-token)
-    export GOOGLE_APPLICATION_CREDENTIALS=/dev/shm/tf-fcuny-homelab
 
     ${terraform}/bin/terraform init
     ${terraform}/bin/terraform plan
-- 
cgit v1.2.3