Allows creation of service accounts for a Google Cloud Platform project.
- id: service_acct
source: community/modules/project/service-account
settings:
project_id: $(vars.project_id)
name: instance_acct
project_roles:
- logging.logWriter
- monitoring.metricWriter
- storage.objectViewerThis creates a service account in GCP project "project_id" with the name "instance_acct". It will have the 3 roles listed for all resources within the project.
When this module is used in conjunction with the startup-script module, the service account must be granted (at least) read access to the bucket. This can be achieved by granting project-wide access as shown above or by specifying the service account as a bucket viewer in the startup-script module:
- id: service_acct
source: community/modules/project/service-account
settings:
project_id: $(vars.project_id)
name: instance_acct
project_roles:
- logging.logWriter
- monitoring.metricWriter
- id: script
source: modules/scripts/startup-script
settings:
bucket_viewers:
- $(service_acct.service_account_iam_email)Copyright 2022 Google LLC
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
| Name | Version |
|---|---|
| terraform | >= 0.14.0 |
No providers.
| Name | Source | Version |
|---|---|---|
| service_account | terraform-google-modules/service-accounts/google | ~> 4.2 |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| billing_account_id | If assigning billing role, specify a billing account (default is to assign at the organizational level). | string |
"" |
no |
| deployment_name | Name of the deployment (will be prepended to service account name) | string |
n/a | yes |
| description | Description of the created service account. | string |
"Service Account" |
no |
| descriptions | Deprecated; create single service accounts using var.description. | list(string) |
null |
no |
| display_name | Display name of the created service account. | string |
"Service Account" |
no |
| generate_keys | Generate keys for service account. | bool |
false |
no |
| grant_billing_role | Grant billing user role. | bool |
false |
no |
| grant_xpn_roles | Grant roles for shared VPC management. | bool |
true |
no |
| name | Name of the service account to create. | string |
n/a | yes |
| names | Deprecated; create single service accounts using var.name. | list(string) |
null |
no |
| org_id | Id of the organization for org-level roles. | string |
"" |
no |
| prefix | Deprecated; prefix now set using var.deployment_name | string |
null |
no |
| project_id | ID of the project | string |
n/a | yes |
| project_roles | List of roles to grant to service account (e.g. "storage.objectViewer" or "compute.instanceAdmin.v1" | list(string) |
n/a | yes |
| Name | Description |
|---|---|
| key | Service account key (if creation was requested) |
| service_account_email | Service account e-mail address |
| service_account_iam_email | Service account IAM binding format (serviceAccount:[email protected]) |