Atlantis is a great tool to do Terraform infrastructure-as-code and gitops together. I got it setup and running alright but when I let it to manage some service account keys(I know, not the best option, but in my situation I had to use it), it kept trying to re-create even if the key exists.
Turns out it’s just a silly misunderstanding of Google’s IAM roles. I granted Atlantis
iam.serviceAccountAdmin and thought this can handles everything around service accounts including keys. However the actual role needed is
After the correct role is bound to Atlantis’ service account it doesn’t ask to re-create the keys anymore 🙂 I think it would be easier if some permission-denied errors shown in the output.