想要通过 Terraform 将多个 Google 云 IAM 角色分配给服务帐户
Want to assign multiple Google cloud IAM roles to a service account via terraform
我想通过 Terraform 将多个 IAM 角色分配给单个服务帐户。我准备了一个 TF 文件来执行此操作,但它有一个错误。对于单个角色,它可以成功分配,但对于多个 IAM 角色,它会出错。
data "google_iam_policy" "auth1" {
binding {
role = "roles/cloudsql.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
role = "roles/datastore.owner"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
}
如何为单个服务帐户分配多个角色?
Each document configuration must have one or more binding blocks, which each accept the following arguments: ....
你必须像这样重复绑定
data "google_iam_policy" "auth1" {
binding {
role = "roles/cloudsql.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
binding {
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
binding {
role = "roles/datastore.owner"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
binding {
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
}
使用gcloud命令也是一样,一个邮件列表一次只能添加1个角色。
我做了这样的事情
resource "google_project_iam_member" "member-role" {
for_each = toset([
"roles/cloudsql.admin",
"roles/secretmanager.secretAccessor",
"roles/datastore.owner",
"roles/storage.admin",
])
role = each.key
member = "serviceAccount:${google_service_account.service_account_1.email}"
project = my_project_id
}
我还不能发表评论或投票,所以这是 另一个 答案,但@intotecho 是对的。
我会说 不要 使用 Terraform 创建策略,除非您真的知道自己在做什么!在 GCP 中,每个项目只允许一个策略。如果您应用该策略,只有 服务帐户可以访问,没有人。 :) 尽管我们不希望人类做人类的事情,但至少拥有对您拥有的 GCP 项目的查看权限是有帮助的。
特别是如果您使用的模型有多个 Terraform 工作空间对项目执行 iam 操作。如果你使用政策,这将类似于葡萄酒的酿造方式,这将是一场狂欢!最近应用的策略将获胜(如果 TF 使用的服务帐户包含在该策略中,否则它将自己锁定!)
人类有可能从文件夹或组织本身获得继承的查看者角色,但使用 google_project_iam_member 分配多个角色是一种更好的方法,95% 的权限是如何通过 TF 完成的GCP.
我想通过 Terraform 将多个 IAM 角色分配给单个服务帐户。我准备了一个 TF 文件来执行此操作,但它有一个错误。对于单个角色,它可以成功分配,但对于多个 IAM 角色,它会出错。
data "google_iam_policy" "auth1" {
binding {
role = "roles/cloudsql.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
role = "roles/datastore.owner"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
}
如何为单个服务帐户分配多个角色?
Each document configuration must have one or more binding blocks, which each accept the following arguments: ....
你必须像这样重复绑定
data "google_iam_policy" "auth1" {
binding {
role = "roles/cloudsql.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
binding {
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
binding {
role = "roles/datastore.owner"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
binding {
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
}
使用gcloud命令也是一样,一个邮件列表一次只能添加1个角色。
我做了这样的事情
resource "google_project_iam_member" "member-role" {
for_each = toset([
"roles/cloudsql.admin",
"roles/secretmanager.secretAccessor",
"roles/datastore.owner",
"roles/storage.admin",
])
role = each.key
member = "serviceAccount:${google_service_account.service_account_1.email}"
project = my_project_id
}
我还不能发表评论或投票,所以这是 另一个 答案,但@intotecho 是对的。
我会说 不要 使用 Terraform 创建策略,除非您真的知道自己在做什么!在 GCP 中,每个项目只允许一个策略。如果您应用该策略,只有 服务帐户可以访问,没有人。 :) 尽管我们不希望人类做人类的事情,但至少拥有对您拥有的 GCP 项目的查看权限是有帮助的。
特别是如果您使用的模型有多个 Terraform 工作空间对项目执行 iam 操作。如果你使用政策,这将类似于葡萄酒的酿造方式,这将是一场狂欢!最近应用的策略将获胜(如果 TF 使用的服务帐户包含在该策略中,否则它将自己锁定!)
人类有可能从文件夹或组织本身获得继承的查看者角色,但使用 google_project_iam_member 分配多个角色是一种更好的方法,95% 的权限是如何通过 TF 完成的GCP.