diff --git a/README.md b/README.md
index b4a5075..8655a45 100644
--- a/README.md
+++ b/README.md
@@ -108,6 +108,8 @@ This will emit an MQTT event with the topic as your event type for all your cont
 
 You can deploy this repo on GCP using Terraform.
 
-To do so, you first need to create a GCP project and get a credentials file stored at `terraform/creds.json`.
+To do so, you first need to create a GCP project.
+
+Once done, run `PROJECT_ID=<YOUR_PROJECT_ID> terraform/init.sh` to enable the required Google APIs, create a service account, and download the credentials file.
 
 Then, simply run `terraform apply -var-file variables.tfvars`.
diff --git a/terraform/init.sh b/terraform/init.sh
new file mode 100755
index 0000000..e83b690
--- /dev/null
+++ b/terraform/init.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+set -e
+
+if [[ -z "$PROJECT_ID" ]]; then
+    echo "Must provide PROJECT_ID in environment" 1>&2
+    exit 1
+fi
+
+echo "Setting project:"
+gcloud config set project $PROJECT_ID
+
+echo "Enabling GCP APIs (be patient):"
+gcloud services enable \
+    artifactregistry.googleapis.com \
+    cloudbuild.googleapis.com \
+    cloudresourcemanager.googleapis.com \
+    compute.googleapis.com \
+    iam.googleapis.com \
+    run.googleapis.com \
+    servicenetworking.googleapis.com \
+    sqladmin.googleapis.com \
+    vpcaccess.googleapis.com
+
+echo "Creating service account:"
+gcloud iam service-accounts create terraform
+
+service_account_name="terraform@$PROJECT_ID.iam.gserviceaccount.com"
+
+script_dir=$(dirname -- "$(readlink -f -- "$BASH_SOURCE")")
+
+gcloud iam service-accounts keys create \
+    "$script_dir/creds.json" \
+    --iam-account $service_account_name
+
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+    --member serviceAccount:$service_account_name \
+    --role roles/editor
+
+# https://stackoverflow.com/a/61250654
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+    --member serviceAccount:$service_account_name \
+    --role roles/run.admin
+
+# https://serverfault.com/questions/942115
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+    --member serviceAccount:$service_account_name \
+    --role roles/compute.networkAdmin
+
+# https://stackoverflow.com/a/54351644
+gcloud projects add-iam-policy-binding $PROJECT_ID \
+    --member serviceAccount:$service_account_name \
+    --role roles/servicenetworking.serviceAgent