Skip to content

Instantly share code, notes, and snippets.

@peakBreaker

peakBreaker/iam.tf

Last active December 9, 2019 14:56
Show Gist options
  • Save peakBreaker/222cef11c5808abd5221d22206574fdf to your computer and use it in GitHub Desktop.
Save peakBreaker/222cef11c5808abd5221d22206574fdf to your computer and use it in GitHub Desktop.
Download ZIP
Terraform GCP IAM
Raw
iam.tf
resource "google_service_account" "sa" {
account_id = "my-service-account"
display_name = "A service account that Jane can use, with some pubsub capabilities"
}
# Allow SA service account use of the default GCE account
# https://www.terraform.io/docs/providers/google/r/google_service_account_iam.html
resource "google_service_account_iam_member" "gce-default-account-iam" {
service_account_id = data.google_compute_default_service_account.default.name
role = "roles/iam.serviceAccountUser"
member = "serviceAccount:${google_service_account.sa.email}"
}
# Give some role to a serviceaccount in a project - conditions are in BETA
# https://www.terraform.io/docs/providers/google/r/google_project_iam.html
resource "google_project_iam_member" "project" {
project = "your-project-id"
role = "roles/editor"
member = "serviceAccount:${google_service_account.sa.email}"
condition {
title = "expires_after_2019_12_31"
description = "Expiring at midnight of 2019-12-31"
expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
}
}
# Most resources has IAM Settings as resources, for example pubsub subscriptions
# https://www.terraform.io/docs/providers/google/r/pubsub_subscription_iam.html
resource "google_pubsub_subscription_iam_member" "editor" {
project = "your-project"
subscription = "your-subscription-name"
role = "roles/editor"
member = "serviceAccount:${google_service_account.sa.email}"
#member = "user:jane@example.com"
#member = "group:jane@example.com"
#member = "domain:jane@example.com"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment