IAM policy for Service Account

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource, such as allowing the members to run operations as or modify the service account. To configure permissions for a service account on other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

google_service_account_iam_policy

data "google_iam_policy" "admin" {
  binding {
    role = "roles/iam.serviceAccountUser"

    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_service_account" "sa" {
  account_id   = "my-service-account"
  display_name = "A service account that only Jane can interact with"
}

resource "google_service_account_iam_policy" "admin-account-iam" {
  service_account_id = google_service_account.sa.name
  policy_data        = data.google_iam_policy.admin.policy_data
}

google_service_account_iam_binding

resource "google_service_account" "sa" {
  account_id   = "my-service-account"
  display_name = "A service account that only Jane can use"
}

resource "google_service_account_iam_binding" "admin-account-iam" {
  service_account_id = google_service_account.sa.name
  role               = "roles/iam.serviceAccountUser"

  members = [
    "user:jane@example.com",
  ]
}

With IAM Conditions:

resource "google_service_account" "sa" {
  account_id   = "my-service-account"
  display_name = "A service account that only Jane can use"
}

resource "google_service_account_iam_binding" "admin-account-iam" {
  service_account_id = google_service_account.sa.name
  role               = "roles/iam.serviceAccountUser"

  members = [
    "user:jane@example.com",
  ]

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

google_service_account_iam_member

data "google_compute_default_service_account" "default" {
}

resource "google_service_account" "sa" {
  account_id   = "my-service-account"
  display_name = "A service account that Jane can use"
}

resource "google_service_account_iam_member" "admin-account-iam" {
  service_account_id = google_service_account.sa.name
  role               = "roles/iam.serviceAccountUser"
  member             = "user:jane@example.com"
}

# Allow SA service account use the default GCE account
resource "google_service_account_iam_member" "gce-default-account-iam" {
  service_account_id = data.google_compute_default_service_account.default.name
  role               = "roles/iam.serviceAccountUser"
  member             = "serviceAccount:${google_service_account.sa.email}"
}

With IAM Conditions:

resource "google_service_account" "sa" {
  account_id   = "my-service-account"
  display_name = "A service account that Jane can use"
}

resource "google_service_account_iam_member" "admin-account-iam" {
  service_account_id = google_service_account.sa.name
  role               = "roles/iam.serviceAccountUser"
  member             = "user:jane@example.com"

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

Argument Reference

The following arguments are supported:

The condition block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Import

Importing IAM members

IAM member imports use space-delimited identifiers that contains the service_account_id, role, and member. For example:

An import block (Terraform v1.5.0 and later) can be used to import IAM members:

import {
  id = "projects/{{project_id}}/serviceAccounts/{{service_account_email}} roles/editor user:foo@example.com"
  to = google_service_account_iam_member.default
}

The terraform import command can also be used:

$ terraform import google_service_account_iam_member.default "projects/{{project_id}}/serviceAccounts/{{service_account_email}} roles/editor user:foo@example.com"

Importing IAM bindings

IAM binding imports use space-delimited identifiers that contains the service_account_id and role. For example:

An import block (Terraform v1.5.0 and later) can be used to import IAM bindings:

import {
  id = "projects/{{project_id}}/serviceAccounts/{{service_account_email}} roles/editor"
  to = google_service_account_iam_binding.default
}

The terraform import command can also be used:

$ terraform import google_service_account_iam_binding.default "projects/{{project_id}}/serviceAccounts/{{service_account_email}} roles/editor"

Importing IAM policies

IAM policy imports use the identifier of the Service Account resource in question. For example:

An import block (Terraform v1.5.0 and later) can be used to import IAM policies:

import {
  id = "projects/{{project_id}}/serviceAccounts/{{service_account_email}}"
  to = google_service_account_iam_policy.default
}

The terraform import command can also be used:

$ terraform import google_service_account_iam_policy.default projects/{{project_id}}/serviceAccounts/{{service_account_email}}

Importing with conditions:

Here are examples of importing IAM memberships and bindings that include conditions:

$ terraform import google_service_account_iam_binding.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser expires_after_2019_12_31"

$ terraform import google_service_account_iam_member.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser user:foo@example.com expires_after_2019_12_31"