Atlantis is a great tool to do Terraform infrastructure-as-code and gitops together. I got it setup and running alright but when I let it to manage some service account keys(I know, not the best option, but in my situation I had to use it), it kept trying to re-create even if the key exists.

Turns out it’s just a silly misunderstanding of Google’s IAM roles. I granted Atlantis iam.serviceAccountAdmin and thought this can handles everything around service accounts including keys. However the actual role needed is iam.serviceAccountKeyAdmin !

After the correct role is bound to Atlantis’ service account it doesn’t ask to re-create the keys anymore 🙂 I think it would be easier if some permission-denied errors shown in the output.