From 15545be1c31fdd602633df7bb25885b896f3e671 Mon Sep 17 00:00:00 2001 From: The Magician Date: Thu, 13 Dec 2018 16:00:26 -0800 Subject: [PATCH] clarify docs around service account id (#2663) /cc @danawillow --- ...esource_google_service_account_iam_test.go | 6 ++-- .../r/google_service_account.html.markdown | 6 ++-- .../google_service_account_iam.html.markdown | 34 ++++++++++++++----- 3 files changed, 32 insertions(+), 14 deletions(-) diff --git a/google/resource_google_service_account_iam_test.go b/google/resource_google_service_account_iam_test.go index 1e183d87..9164c34c 100644 --- a/google/resource_google_service_account_iam_test.go +++ b/google/resource_google_service_account_iam_test.go @@ -122,7 +122,7 @@ resource "google_service_account" "test_account" { } resource "google_service_account_iam_binding" "foo" { - service_account_id = "${google_service_account.test_account.id}" + service_account_id = "${google_service_account.test_account.name}" role = "roles/viewer" members = ["serviceAccount:${google_service_account.test_account.email}"] } @@ -137,7 +137,7 @@ resource "google_service_account" "test_account" { } resource "google_service_account_iam_member" "foo" { - service_account_id = "${google_service_account.test_account.id}" + service_account_id = "${google_service_account.test_account.name}" role = "roles/editor" member = "serviceAccount:${google_service_account.test_account.email}" } @@ -160,7 +160,7 @@ data "google_iam_policy" "foo" { } resource "google_service_account_iam_policy" "foo" { - service_account_id = "${google_service_account.test_account.id}" + service_account_id = "${google_service_account.test_account.name}" policy_data = "${data.google_iam_policy.foo.policy_data}" } `, account) diff --git a/website/docs/r/google_service_account.html.markdown b/website/docs/r/google_service_account.html.markdown index 5e6bf41c..40efb421 100644 --- a/website/docs/r/google_service_account.html.markdown +++ b/website/docs/r/google_service_account.html.markdown @@ -26,8 +26,10 @@ resource "google_service_account" "object_viewer" { The following arguments are supported: -* `account_id` - (Required) The service account ID. - Changing this forces a new service account to be created. +* `account_id` - (Required) The account id that is used to generate the service + account email address and a stable unique id. It is unique within a project, + must be 6-30 characters long, and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])` + to comply with RFC1035. Changing this forces a new service account to be created. * `display_name` - (Optional) The display name for the service account. Can be updated without creating a new resource. diff --git a/website/docs/r/google_service_account_iam.html.markdown b/website/docs/r/google_service_account_iam.html.markdown index a917f8ba..c695d939 100644 --- a/website/docs/r/google_service_account_iam.html.markdown +++ b/website/docs/r/google_service_account_iam.html.markdown @@ -8,7 +8,7 @@ description: |- # IAM policy for service account -When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the [google_project_iam](google_project_iam.html) set of resources. +When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource **to configure permissions for who can edit the service account**. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the [google_project_iam](google_project_iam.html) set of resources. Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case: @@ -25,7 +25,7 @@ Three different resources help you manage your IAM policy for a service account. ```hcl data "google_iam_policy" "admin" { binding { - role = "roles/editor" + role = "roles/iam.serviceAccountUser" members = [ "user:jane@example.com", @@ -33,8 +33,13 @@ data "google_iam_policy" "admin" { } } +resource "google_service_account" "sa" { + account_id = "my-service-account" + display_name = "A service account that only Jane can interact with" +} + resource "google_service_account_iam_policy" "admin-account-iam" { - service_account_id = "your-service-account-id" + service_account_id = "${google_service_account.sa.name}" policy_data = "${data.google_iam_policy.admin.policy_data}" } ``` @@ -42,9 +47,15 @@ resource "google_service_account_iam_policy" "admin-account-iam" { ## google\_service\_account\_iam\_binding ```hcl + +resource "google_service_account" "sa" { + account_id = "my-service-account" + display_name = "A service account that only Jane can use" +} + resource "google_service_account_iam_binding" "admin-account-iam" { - service_account_id = "your-service-account-id" - role = "roles/editor" + service_account_id = "${google_service_account.sa.name}" + role = "roles/iam.serviceAccountUser" members = [ "user:jane@example.com", @@ -55,10 +66,15 @@ resource "google_service_account_iam_binding" "admin-account-iam" { ## google\_service\_account\_iam\_member ```hcl +resource "google_service_account" "sa" { + account_id = "my-service-account" + display_name = "A service account that Jane can use" +} + resource "google_service_account_iam_member" "admin-account-iam" { - service_account_id = "your-service-account-id" - role = "roles/editor" - member = "user:jane@example.com" + service_account_id = "${google_service_account.sa.name}" + role = "roles/iam.serviceAccountUser" + member = "user:jane@example.com" } ``` @@ -66,7 +82,7 @@ resource "google_service_account_iam_member" "admin-account-iam" { The following arguments are supported: -* `service_account_id` - (Required) The service account id to apply policy to. +* `service_account_id` - (Required) The fully-qualified name of the service account to apply policy to. * `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values: