Last active
February 24, 2023 15:19
-
-
Save magickatt/a48cf0bb8218595ba0a5a85323a430b0 to your computer and use it in GitHub Desktop.
Google Cloud IAM for Google Kubernetes Engine Workload Identity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| locals { | |
| gcp_project_id = "project-123456" | |
| gke_namespace = "default" | |
| gke_service_account_name = "my-service-gke-serviceaccount" | |
| } | |
| # GCP Service Account (not to be confused with the GKE Service Account) | |
| resource "google_service_account" "my_service" { | |
| account_id = "my_service_gcp_serviceaccount" | |
| display_name = "my_service" | |
| description = "Google Service Account used for My Service." | |
| } | |
| # Allows the GKE Service Account to use the GCP Service Account via Workload Identity | |
| resource "google_service_account_iam_binding" "iam_workloadidentity" { | |
| service_account_id = google_service_account.my_service.name | |
| role = "roles/iam.workloadIdentityUser" | |
| # Workload Identity is specified per-project and per-namespace | |
| members = [ | |
| "serviceAccount:${local.gcp_project_id}.svc.id.goog[${local.gke_namespace}/${local.gke_service_account_name}]" | |
| ] | |
| } | |
| # Grant any GCP IAM permissions to the GCP Service Account | |
| resource "google_project_iam_member" "storage_admin" { | |
| project = local.gcp_project_id | |
| role = "roles/storage.admin" | |
| member = "serviceAccount:${google_service_account.my_service.email}" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment