Skip to content

Instantly share code, notes, and snippets.

Last active February 24, 2023 15:19
What would you like to do?
Google Cloud IAM for Google Kubernetes Engine Workload Identity
locals {
gcp_project_id = "project-123456"
gke_namespace = "default"
gke_service_account_name = "my-service-gke-serviceaccount"
# GCP Service Account (not to be confused with the GKE Service Account)
resource "google_service_account" "my_service" {
account_id = "my_service_gcp_serviceaccount"
display_name = "my_service"
description = "Google Service Account used for My Service."
# Allows the GKE Service Account to use the GCP Service Account via Workload Identity
resource "google_service_account_iam_binding" "iam_workloadidentity" {
service_account_id =
role = "roles/iam.workloadIdentityUser"
# Workload Identity is specified per-project and per-namespace
members = [
# Grant any GCP IAM permissions to the GCP Service Account
resource "google_project_iam_member" "storage_admin" {
project = local.gcp_project_id
role = "roles/storage.admin"
member = "serviceAccount:${}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment