[英]Terraform GCP Assign IAM roles to service account
I'm using the following我正在使用以下
resource "google_service_account" "store_user" {
account_id = "store-user"
display_name = "Storage User"
}
resource "google_project_iam_binding" "store_user" {
project = var.project_id
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}"
]
}
Which works well, in that it creates the SA and assigns it the storage admin role.效果很好,因为它创建了 SA 并为其分配了存储管理员角色。 Great.
伟大的。 But I need to give this SA about 4 roles.
但我需要给这个 SA 大约 4 个角色。 I have tried all manner of things, including using a data block with repeating bindings/roles blocks like this:
我尝试了各种方法,包括使用带有重复绑定/角色块的数据块,如下所示:
data "google_iam_policy" "store_user_roles" {
binding {
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
binding {
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
}
Oddly, that runs, but the SA does not get the roles/permissions.奇怪的是,它运行了,但 SA 没有获得角色/权限。 I've tried various other examples I've found here and there but with no success.
我尝试了各种我在这里和那里找到的其他示例,但没有成功。 Can someone please give me a shove in the right direction for how to accomplish this?
有人可以在正确的方向上推动我如何实现这一目标吗?
// Update. // 更新。 The following did work for me:
以下确实对我有用:
resource "google_project_iam_binding" "storage-iam" {
project = var.project_id
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
resource "google_project_iam_binding" "pubsub-iam" {
project = var.project_id
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
Another alternate would be to use a loop.另一种选择是使用循环。 Here is some sample code using a
count
loop.这是一些使用
count
循环的示例代码。
variables.tf变量.tf
variable "rolesList" {
type =list(string)
default = ["roles/storage.admin","roles/pubsub.admin"]
}
service-account.tf服务帐户.tf
resource "google_service_account" "store_user" {
account_id = "store-user"
display_name = "Storage User"
}
resource "google_project_iam_binding" "store_user" {
project = var.project_id
count = length(var.rolesList)
role = var.rolesList[count.index]
members = [
"serviceAccount:${google_service_account.store_user.email}"
]
}
Please note that when using a count
loop, Terraform maintains a map of index with the values in the state file.请注意,当使用
count
循环时,Terraform 使用 state 文件中的值维护索引的 map。 In simpler terms, if you remove the 1st element from the list simply because we don't want the role then Terraform will remove all the elements from index 2 (of the older list) and then apply them back.简单来说,如果您仅仅因为我们不想要该角色而从列表中删除第一个元素,那么 Terraform 将从索引 2(旧列表的)中删除所有元素,然后将它们应用回来。
Also, I prefer using google_project_iam_member
instead of google_project_iam_binding
because when using google_project_iam_binding
if there are any users or SAs created outside of Terraform bound to the same role, GCP would remove them on future runs (TF Apply).此外,我更喜欢使用
google_project_iam_member
而不是google_project_iam_binding
,因为当使用google_project_iam_binding
时,如果有任何用户或 SAs 在 Terraform 绑定到同一角色之外创建,GCP 将在未来运行时将其删除(TF 应用)。
I think this is achieved with this resource:我认为这是通过以下资源实现的:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam
So with your code, minus the data sources, alter to taste:所以用你的代码,减去数据源,改变口味:
resource "google_service_account_iam_binding" "storage-iam" {
service_account_id = google_service_account.store_user.name
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
resource "google_service_account_iam_binding" "pubsub-iam" {
service_account_id = google_service_account.store_user.name
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.