How do I grant permission to a google service account to list all projects using terraform?
Question
We're using terraform to manage our service accounts with google and big query. In order to list datasets and tables in our projects, we've elected to query a schema table using a service account:
select * from region-us.INFORMATION_SCHEMA.TABLE_STORAGE
This currently works, but only shows us tables from the project that this service account has access to. We'd like to see tables and datasets from across the organization, not just in the current project. Can Terraform grant read access to all projects in an organization?
I don't have much experience with terraform so any hints would be appreciated.
1 answers
solution1
0 2022-12-29 21:49:23
Yes, you can use Terraform to grant read access to all projects in an organization using the google_organization_iam_binding resource. This resource allows you to specify a role and a list of members to be granted that role within the organization.
You likely want to grant the roles/bigquery.dataViewer role to your service account which would give it read access to all projects in the organization:
resource "google_organization_iam_binding" "read" {
role = "roles/bigquery.dataViewer"
members = ["serviceAccount:your-service-account@example.com"]
org_id = "1234567890"
}
solution2
0 2022-12-30 10:26:06
You can also use the google_project_iam_member resource. This resource allows you to add IAM members (such as service accounts) to a project and assign them roles.
Here is an example of how you can grant a service account the Project Viewer role, which allows them to list all projects:
resource "google_project_iam_member" "service_account" {
project = "my-project"
role = "roles/viewer"
member = "serviceAccount:service-account@example.com"
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.