clarify docs around service account id (#2663)

/cc @danawillow
2024-07-01 15:52:39 +00:00 · 2018-12-13 16:00:26 -08:00 · 2018-12-13 16:00:26 -08:00 · 15545be1c3
commit 15545be1c3
parent f6230ba1e4
3 changed files with 32 additions and 14 deletions
--- a/google/resource_google_service_account_iam_test.go
+++ b/google/resource_google_service_account_iam_test.go
@ -122,7 +122,7 @@ resource "google_service_account" "test_account" {
 }

 resource "google_service_account_iam_binding" "foo" {
-  service_account_id = "${google_service_account.test_account.id}"
+  service_account_id = "${google_service_account.test_account.name}"
  role        = "roles/viewer"
  members     = ["serviceAccount:${google_service_account.test_account.email}"]
 }
@ -137,7 +137,7 @@ resource "google_service_account" "test_account" {
 }

 resource "google_service_account_iam_member" "foo" {
-  service_account_id = "${google_service_account.test_account.id}"
+  service_account_id = "${google_service_account.test_account.name}"
  role   = "roles/editor"
  member = "serviceAccount:${google_service_account.test_account.email}"
 }
@ -160,7 +160,7 @@ data "google_iam_policy" "foo" {
 }

 resource "google_service_account_iam_policy" "foo" {
-  service_account_id = "${google_service_account.test_account.id}"
+  service_account_id = "${google_service_account.test_account.name}"
  policy_data = "${data.google_iam_policy.foo.policy_data}"
 }
 `, account)
--- a/website/docs/r/google_service_account.html.markdown
+++ b/website/docs/r/google_service_account.html.markdown
@ -26,8 +26,10 @@ resource "google_service_account" "object_viewer" {

 The following arguments are supported:

-* `account_id` - (Required) The service account ID.
-    Changing this forces a new service account to be created.
+* `account_id` - (Required) The account id that is used to generate the service
+    account email address and a stable unique id. It is unique within a project,
+    must be 6-30 characters long, and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])`
+    to comply with RFC1035. Changing this forces a new service account to be created.

 * `display_name` - (Optional) The display name for the service account.
    Can be updated without creating a new resource.
--- a/website/docs/r/google_service_account_iam.html.markdown
+++ b/website/docs/r/google_service_account_iam.html.markdown
@ -8,7 +8,7 @@ description: |-

 # IAM policy for service account

-When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the [google_project_iam](google_project_iam.html) set of resources.
+When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource **to configure permissions for who can edit the service account**. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the [google_project_iam](google_project_iam.html) set of resources.

 Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

@ -25,7 +25,7 @@ Three different resources help you manage your IAM policy for a service account.
 ```hcl
 data "google_iam_policy" "admin" {
  binding {
-    role = "roles/editor"
+    role = "roles/iam.serviceAccountUser"

    members = [
      "user:jane@example.com",
@ -33,8 +33,13 @@ data "google_iam_policy" "admin" {
  }
 }

+resource "google_service_account" "sa" {
+  account_id   = "my-service-account"
+  display_name = "A service account that only Jane can interact with"
+}
+
 resource "google_service_account_iam_policy" "admin-account-iam" {
-	service_account_id = "your-service-account-id"
+	service_account_id = "${google_service_account.sa.name}"
 	policy_data = "${data.google_iam_policy.admin.policy_data}"
 }
 ```
@ -42,9 +47,15 @@ resource "google_service_account_iam_policy" "admin-account-iam" {
 ## google\_service\_account\_iam\_binding

 ```hcl
+
+resource "google_service_account" "sa" {
+  account_id   = "my-service-account"
+  display_name = "A service account that only Jane can use"
+}
+
 resource "google_service_account_iam_binding" "admin-account-iam" {
-  service_account_id = "your-service-account-id"
-  role        = "roles/editor"
+  service_account_id = "${google_service_account.sa.name}"
+  role               = "roles/iam.serviceAccountUser"

  members = [
    "user:jane@example.com",
@ -55,10 +66,15 @@ resource "google_service_account_iam_binding" "admin-account-iam" {
 ## google\_service\_account\_iam\_member

 ```hcl
+resource "google_service_account" "sa" {
+  account_id   = "my-service-account"
+  display_name = "A service account that Jane can use"
+}
+
 resource "google_service_account_iam_member" "admin-account-iam" {
-  service_account_id = "your-service-account-id"
-  role        = "roles/editor"
-  member      = "user:jane@example.com"
+  service_account_id = "${google_service_account.sa.name}"
+  role               = "roles/iam.serviceAccountUser"
+  member             = "user:jane@example.com"
 }
 ```

@ -66,7 +82,7 @@ resource "google_service_account_iam_member" "admin-account-iam" {

 The following arguments are supported:

-* `service_account_id` - (Required) The service account id to apply policy to.
+* `service_account_id` - (Required) The fully-qualified name of the service account to apply policy to.

 * `member/members` - (Required) Identities that will be granted the privilege in `role`.
  Each entry can have one of the following values: