moreserverless.com

Azure DevOps to GCP Handshake

Date posted: 2026-01-10

Objective: Configure a secure, automated service connection between Azure DevOps (ADO) and Google Cloud Platform (GCP) for Terraform orchestration.

1. GCP Service Account Configuration

• Service Account Creation: Defined a dedicated identity within the target GCP project specifically for ADO automation.
• IAM Role Assignment:
  • Editor: Minimum requirement for resource lifecycle management.
  • Project IAM Admin: Required for Terraform to manage service accounts or granular permissions.
• Key Generation: Exported a JSON key file for external authentication.

2. Azure DevOps Service Connection

• Connection Type: Integrated via Project Settings -> Service Connections -> Google Cloud Platform.
• Authentication: Uploaded the GCP JSON Service Account key into the ADO secure credential store.
• Verification: Executed connection validation within ADO to confirm active communication with the GCP API.

3. Terraform Provider Configuration

• Authentication Logic: Configured the google provider to ingest credentials via ADO environment variables rather than local file paths.
• Code Implementation:

  provider "google" {
    project = var.gcp_project_id
    region  = var.gcp_region
  }
  

4. Technical Rationale ("The Why")

• Security: JSON keys are stored in ADO’s encrypted vault; no credentials or sensitive paths are hardcoded in the source repositories.
• Headless Automation: Enables the ADO pipeline to act as a fully automated administrator for the GCP project.
• State Management: Prepared the architecture for remote state backend integration (GCS) by establishing the initial API handshake.
• Note:I know Workload Identity Federation is the preferred way to authenticate between cloud providers, but I wanted to mimic work as closely as possible. Going forwarded I will set up Workload Identity Federation.

This documentation was generated through an iterative AI process, refined by the author for technical accuracy and clarity.