--- layout: "google" page_title: "Google: google_service_account_iam" sidebar_current: "docs-google-service-account-iam" description: |- Collection of resources to manage IAM policy for a service account. --- # IAM policy for service account When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource **to configure permissions for who can edit the service account**. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the [google_project_iam](google_project_iam.html) set of resources. Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case: * `google_service_account_iam_policy`: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached. * `google_service_account_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved. * `google_service_account_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved. ~> **Note:** `google_service_account_iam_policy` **cannot** be used in conjunction with `google_service_account_iam_binding` and `google_service_account_iam_member` or they will fight over what your policy should be. ~> **Note:** `google_service_account_iam_binding` resources **can be** used in conjunction with `google_service_account_iam_member` resources **only if** they do not grant privilege to the same role. ## google\_service\_account\_iam\_policy ```hcl data "google_iam_policy" "admin" { binding { role = "roles/iam.serviceAccountUser" members = [ "user:jane@example.com", ] } } resource "google_service_account" "sa" { account_id = "my-service-account" display_name = "A service account that only Jane can interact with" } resource "google_service_account_iam_policy" "admin-account-iam" { service_account_id = "${google_service_account.sa.name}" policy_data = "${data.google_iam_policy.admin.policy_data}" } ``` ## google\_service\_account\_iam\_binding ```hcl resource "google_service_account" "sa" { account_id = "my-service-account" display_name = "A service account that only Jane can use" } resource "google_service_account_iam_binding" "admin-account-iam" { service_account_id = "${google_service_account.sa.name}" role = "roles/iam.serviceAccountUser" members = [ "user:jane@example.com", ] } ``` ## google\_service\_account\_iam\_member ```hcl data "google_compute_default_service_account" "default" { } resource "google_service_account" "sa" { account_id = "my-service-account" display_name = "A service account that Jane can use" } resource "google_service_account_iam_member" "admin-account-iam" { service_account_id = "${google_service_account.sa.name}" role = "roles/iam.serviceAccountUser" member = "user:jane@example.com" } # Allow SA service account use the default GCE account resource "google_service_account_iam_member" "gce-default-account-iam" { service_account_id = "${data.google_compute_default_service_account.default.name}" role = "roles/iam.serviceAccountUser" member = "serviceAccount:${google_service_account.sa.email}" } ``` ## Argument Reference The following arguments are supported: * `service_account_id` - (Required) The fully-qualified name of the service account to apply policy to. * `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * `role` - (Required) The role that should be applied. Only one `google_service_account_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. * `policy_data` - (Required only by `google_service_account_iam_policy`) The policy data generated by a `google_iam_policy` data source. ## Attributes Reference In addition to the arguments listed above, the following computed attributes are exported: * `etag` - (Computed) The etag of the service account IAM policy. ## Import Service account IAM resources can be imported using the project, service account email, role and member identity. ``` $ terraform import google_service_account_iam_policy.admin-account-iam projects/{your-project-id}/serviceAccounts/{your-service-account-email} $ terraform import google_service_account_iam_binding.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/editor" $ terraform import google_service_account_iam_member.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/editor user:foo@example.com" ```