Skip to content

Instantly share code, notes, and snippets.

@nakamasato

nakamasato/service_account.tf

Created June 13, 2022 20:44
Show Gist options
  • Save nakamasato/f6bd0180b5867e68153701847a6d0687 to your computer and use it in GitHub Desktop.
Save nakamasato/f6bd0180b5867e68153701847a6d0687 to your computer and use it in GitHub Desktop.
Download ZIP
GCP service account to grant permission to access BigQuery and GCS
Raw
service_account.tf
resource "google_service_account" "workbench-default" {
account_id = "workbench-default"
display_name = "Default service account for AI workbench"
}
resource "google_project_iam_binding" "workbench-default-bigquery-data-viwer" {
project = var.project
role = "roles/bigquery.dataViewer"
members = ["serviceAccount:${google_service_account.workbench-default.email}"]
}
resource "google_project_iam_binding" "workbench-default-bigquery-job-user" {
project = var.project
role = "roles/bigquery.jobUser" // to run a bigquery job https://cloud.google.com/bigquery/docs/access-control
members = ["serviceAccount:${google_service_account.workbench-default.email}"]
}
resource "google_project_iam_custom_role" "storage-reader" {
role_id = "storageReader"
title = "Custom Storage Reader"
description = "Allow to read storage"
permissions = ["storage.buckets.get"]
}
resource "google_project_iam_binding" "workbench-default-custom-storage-reader" {
project = var.project
role = google_project_iam_custom_role.storage-reader.name
members = ["serviceAccount:${google_service_account.workbench-default.email}"]
}
resource "google_project_iam_binding" "workbench-default-storage-object-viewer" {
project = var.project
role = "roles/storage.objectViewer"
members = ["serviceAccount:${google_service_account.workbench-default.email}"]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment