Terraform GCP 将 IAM 角色分配给服务帐户
Terraform GCP Assign IAM roles to service account
我正在使用以下
resource "google_service_account" "store_user" {
account_id = "store-user"
display_name = "Storage User"
}
resource "google_project_iam_binding" "store_user" {
project = var.project_id
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}"
]
}
效果很好,因为它创建了 SA 并为其分配了存储管理员角色。伟大的。
但是我需要给这个 SA 大约 4 个角色。我尝试了各种方法,包括使用重复 bindings/roles 块的数据块,如下所示:
data "google_iam_policy" "store_user_roles" {
binding {
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
binding {
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
}
奇怪的是,它运行了,但是 SA 没有得到 roles/permissions。我已经尝试了在这里和那里找到的各种其他示例,但没有成功。有人可以告诉我正确的方向如何完成这个吗?
//更新。以下对我有用:
resource "google_project_iam_binding" "storage-iam" {
project = var.project_id
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
resource "google_project_iam_binding" "pubsub-iam" {
project = var.project_id
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
我认为这是通过此资源实现的:
所以对于你的代码,减去数据源,改变口味:
resource "google_service_account_iam_binding" "storage-iam" {
service_account_id = google_service_account.store_user.name
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
resource "google_service_account_iam_binding" "pubsub-iam" {
service_account_id = google_service_account.store_user.name
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
另一种替代方法是使用循环。这是一些使用 count 循环的示例代码。
variables.tf
variable "rolesList" {
type =list(string)
default = ["roles/storage.admin","roles/pubsub.admin"]
}
服务-account.tf
resource "google_service_account" "store_user" {
account_id = "store-user"
display_name = "Storage User"
}
resource "google_project_iam_binding" "store_user" {
project = var.project_id
count = length(var.rolesList)
role = var.rolesList[count.index]
members = [
"serviceAccount:${google_service_account.store_user.email}"
]
}
请注意,在使用 count 循环时,Terraform 会维护一个索引映射,其中包含状态文件中的值。简单来说,如果您只是因为我们不想要该角色而从列表中删除第一个元素,那么 Terraform 将从索引 2(旧列表的)中删除所有元素,然后将它们应用回去。
此外,我更喜欢使用 google_project_iam_member 而不是 google_project_iam_binding,因为在使用 google_project_iam_binding 时,如果在 Terraform 之外创建的任何用户或 SA 绑定到同一角色,GCP 将删除他们在未来的运行中(TF Apply)。
我正在使用以下
resource "google_service_account" "store_user" {
account_id = "store-user"
display_name = "Storage User"
}
resource "google_project_iam_binding" "store_user" {
project = var.project_id
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}"
]
}
效果很好,因为它创建了 SA 并为其分配了存储管理员角色。伟大的。 但是我需要给这个 SA 大约 4 个角色。我尝试了各种方法,包括使用重复 bindings/roles 块的数据块,如下所示:
data "google_iam_policy" "store_user_roles" {
binding {
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
binding {
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
}
奇怪的是,它运行了,但是 SA 没有得到 roles/permissions。我已经尝试了在这里和那里找到的各种其他示例,但没有成功。有人可以告诉我正确的方向如何完成这个吗?
//更新。以下对我有用:
resource "google_project_iam_binding" "storage-iam" {
project = var.project_id
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
resource "google_project_iam_binding" "pubsub-iam" {
project = var.project_id
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
我认为这是通过此资源实现的:
所以对于你的代码,减去数据源,改变口味:
resource "google_service_account_iam_binding" "storage-iam" {
service_account_id = google_service_account.store_user.name
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
resource "google_service_account_iam_binding" "pubsub-iam" {
service_account_id = google_service_account.store_user.name
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
另一种替代方法是使用循环。这是一些使用 count 循环的示例代码。
variables.tf
variable "rolesList" {
type =list(string)
default = ["roles/storage.admin","roles/pubsub.admin"]
}
服务-account.tf
resource "google_service_account" "store_user" {
account_id = "store-user"
display_name = "Storage User"
}
resource "google_project_iam_binding" "store_user" {
project = var.project_id
count = length(var.rolesList)
role = var.rolesList[count.index]
members = [
"serviceAccount:${google_service_account.store_user.email}"
]
}
请注意,在使用 count 循环时,Terraform 会维护一个索引映射,其中包含状态文件中的值。简单来说,如果您只是因为我们不想要该角色而从列表中删除第一个元素,那么 Terraform 将从索引 2(旧列表的)中删除所有元素,然后将它们应用回去。
此外,我更喜欢使用 google_project_iam_member 而不是 google_project_iam_binding,因为在使用 google_project_iam_binding 时,如果在 Terraform 之外创建的任何用户或 SA 绑定到同一角色,GCP 将删除他们在未来的运行中(TF Apply)。