IAM policy for service account

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

• google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
• google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
• google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.

google_service_account_iam_policy

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:[email protected]",
    ]
  }
}

resource "google_service_account_iam_policy" "admin-account-iam" {
    service_account_id = "your-service-account-id"
    policy_data = "${data.google_iam_policy.admin.policy_data}"
}

google_service_account_iam_binding

resource "google_service_account_iam_binding" "admin-account-iam" {
  service_account_id = "your-service-account-id"
  role        = "roles/editor"

  members = [
    "user:[email protected]",
  ]
}

google_service_account_iam_member

resource "google_service_account_iam_member" "admin-account-iam" {
  service_account_id = "your-service-account-id"
  role        = "roles/editor"
  member      = "user:[email protected]"
}

Argument Reference

The following arguments are supported:

• service_account_id - (Required) The service account id to apply policy to.

• member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:

  • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
  • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
  • user:{emailid}: An email address that represents a specific Google account. For example, [email protected] or [email protected].
  • serviceAccount:{emailid}: An email address that represents a service account. For example, [email protected].
  • group:{emailid}: An email address that represents a Google group. For example, [email protected].
  • domain:{domain}: A Google Apps domain name that represents all the users of that domain. For example, google.com or example.com.

• role - (Required) The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

• policy_data - (Required only by google_service_account_iam_policy) The policy data generated by a google_iam_policy data source.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

• etag - (Computed) The etag of the service account IAM policy.

Import

Service account IAM resources can be imported using the project, service account email, role and member.

$ terraform import google_service_account_iam_policy.admin-account-iam projects/{your-project-id}/serviceAccounts/{your-service-account-email}

$ terraform import google_service_account_iam_binding.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/editor"

$ terraform import google_service_account_iam_member.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/editor [email protected]"