When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource, such as allowing the members to run operations as or modify the service account. To configure permissions for a service account on other GCP resources, use the google_project_iam set of resources.
Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:
google_service_account_iam_policy
: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.google_service_account_iam_binding
: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.google_service_account_iam_member
: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.data "google_iam_policy" "admin" {
binding {
role = "roles/iam.serviceAccountUser"
members = [
"user:jane@example.com",
]
}
}
resource "google_service_account" "sa" {
account_id = "my-service-account"
display_name = "A service account that only Jane can interact with"
}
resource "google_service_account_iam_policy" "admin-account-iam" {
service_account_id = google_service_account.sa.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_service_account" "sa" {
account_id = "my-service-account"
display_name = "A service account that only Jane can use"
}
resource "google_service_account_iam_binding" "admin-account-iam" {
service_account_id = google_service_account.sa.name
role = "roles/iam.serviceAccountUser"
members = [
"user:jane@example.com",
]
}
With IAM Conditions:
resource "google_service_account" "sa" {
account_id = "my-service-account"
display_name = "A service account that only Jane can use"
}
resource "google_service_account_iam_binding" "admin-account-iam" {
service_account_id = google_service_account.sa.name
role = "roles/iam.serviceAccountUser"
members = [
"user:jane@example.com",
]
condition {
title = "expires_after_2019_12_31"
description = "Expiring at midnight of 2019-12-31"
expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
}
}
data "google_compute_default_service_account" "default" {
}
resource "google_service_account" "sa" {
account_id = "my-service-account"
display_name = "A service account that Jane can use"
}
resource "google_service_account_iam_member" "admin-account-iam" {
service_account_id = google_service_account.sa.name
role = "roles/iam.serviceAccountUser"
member = "user:jane@example.com"
}
# Allow SA service account use the default GCE account
resource "google_service_account_iam_member" "gce-default-account-iam" {
service_account_id = data.google_compute_default_service_account.default.name
role = "roles/iam.serviceAccountUser"
member = "serviceAccount:${google_service_account.sa.email}"
}
With IAM Conditions:
resource "google_service_account" "sa" {
account_id = "my-service-account"
display_name = "A service account that Jane can use"
}
resource "google_service_account_iam_member" "admin-account-iam" {
service_account_id = google_service_account.sa.name
role = "roles/iam.serviceAccountUser"
member = "user:jane@example.com"
condition {
title = "expires_after_2019_12_31"
description = "Expiring at midnight of 2019-12-31"
expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
}
}
The following arguments are supported:
service_account_id
- (Required) The fully-qualified name of the service account to apply policy to.
member/members
- (Required) Identities that will be granted the privilege in role
.
Each entry can have one of the following values:
role
- (Required) The role that should be applied. Only one
google_service_account_iam_binding
can be used per role. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}
.
policy_data
- (Required only by google_service_account_iam_policy
) The policy data generated by
a google_iam_policy
data source.
condition
- (Optional) An IAM Condition for a given binding.
Structure is documented below.
expression
- (Required) Textual representation of an expression in Common Expression Language syntax.
title
- (Required) A title for the expression, i.e. a short string describing its purpose.
description
- (Optional) An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
In addition to the arguments listed above, the following computed attributes are exported:
etag
- (Computed) The etag of the service account IAM policy.IAM member imports use space-delimited identifiers that contains the service_account_id
, role
, and member
. For example:
"projects/{{project_id}}/serviceAccounts/{{service_account_email}} roles/editor user:foo@example.com"
An import
block (Terraform v1.5.0 and later) can be used to import IAM members:
import {
id = "projects/{{project_id}}/serviceAccounts/{{service_account_email}} roles/editor user:foo@example.com"
to = google_service_account_iam_member.default
}
The terraform import
command can also be used:
$ terraform import google_service_account_iam_member.default "projects/{{project_id}}/serviceAccounts/{{service_account_email}} roles/editor user:foo@example.com"
IAM binding imports use space-delimited identifiers that contains the service_account_id
and role
. For example:
"projects/{{project_id}}/serviceAccounts/{{service_account_email}} roles/editor"
An import
block (Terraform v1.5.0 and later) can be used to import IAM bindings:
import {
id = "projects/{{project_id}}/serviceAccounts/{{service_account_email}} roles/editor"
to = google_service_account_iam_binding.default
}
The terraform import
command can also be used:
$ terraform import google_service_account_iam_binding.default "projects/{{project_id}}/serviceAccounts/{{service_account_email}} roles/editor"
IAM policy imports use the identifier of the Service Account resource in question. For example:
"projects/{{project_id}}/serviceAccounts/{{service_account_email}}"
An import
block (Terraform v1.5.0 and later) can be used to import IAM policies:
import {
id = "projects/{{project_id}}/serviceAccounts/{{service_account_email}}"
to = google_service_account_iam_policy.default
}
The terraform import
command can also be used:
$ terraform import google_service_account_iam_policy.default projects/{{project_id}}/serviceAccounts/{{service_account_email}}
Here are examples of importing IAM memberships and bindings that include conditions:
$ terraform import google_service_account_iam_binding.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser expires_after_2019_12_31"
$ terraform import google_service_account_iam_member.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser user:foo@example.com expires_after_2019_12_31"