Skip to content

Instantly share code, notes, and snippets.

@magickatt
Last active February 24, 2023 15:19
Embed
What would you like to do?
Google Cloud IAM for Google Kubernetes Engine Workload Identity
locals {
gcp_project_id = "project-123456"
gke_namespace = "default"
gke_service_account_name = "my-service-gke-serviceaccount"
}
# GCP Service Account (not to be confused with the GKE Service Account)
resource "google_service_account" "my_service" {
account_id = "my_service_gcp_serviceaccount"
display_name = "my_service"
description = "Google Service Account used for My Service."
}
# Allows the GKE Service Account to use the GCP Service Account via Workload Identity
resource "google_service_account_iam_binding" "iam_workloadidentity" {
service_account_id = google_service_account.my_service.name
role = "roles/iam.workloadIdentityUser"
# Workload Identity is specified per-project and per-namespace
members = [
"serviceAccount:${local.gcp_project_id}.svc.id.goog[${local.gke_namespace}/${local.gke_service_account_name}]"
]
}
# Grant any GCP IAM permissions to the GCP Service Account
resource "google_project_iam_member" "storage_admin" {
project = local.gcp_project_id
role = "roles/storage.admin"
member = "serviceAccount:${google_service_account.my_service.email}"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment