* Make google_service_account resource importable * Add google_service_account testcase with default project * Mark google_service_account.project as computed to ensure the project id is always stored in the state, defined in configuration or not. Add corresponding test cases * Inline variables with single usage * Replace tabs with spaces in configuration strings * Ensure service account is not recreated when the default project is explicitely added to the configuration * camelcase
2.5 KiB
layout | page_title | sidebar_current | description |
---|---|---|---|
Google: google_service_account | docs-google-service-account | Allows management of a Google Cloud Platform service account. |
google_service_account
Allows management of a Google Cloud Platform service account
Example Usage
This snippet creates a service account, then gives it objectViewer permission in a project.
resource "google_service_account" "object_viewer" {
account_id = "object-viewer"
display_name = "Object viewer"
}
resource "google_project_iam_policy" "my_project_policy" {
project = "your-project-id"
policy_data = "${data.google_iam_policy.admin.policy_data}"
}
data "google_iam_policy" "admin" {
binding {
role = "roles/storage.objectViewer"
members = [
"serviceAccount:${google_service_account.object_viewer.email}",
]
}
}
Argument Reference
The following arguments are supported:
-
account_id
- (Required) The service account ID. Changing this forces a new service account to be created. -
display_name
- (Optional) The display name for the service account. Can be updated without creating a new resource. -
project
- (Optional) The project that the service account will be created in. Defaults to the provider project configuration. -
policy_data
- (DEPRECATED, Optional) Thegoogle_iam_policy
data source that represents the IAM policy that will be applied to the service account. The policy will be merged with any existing policy.This attribute has been deprecated. Use the
google_project_iam_policy
resource instead. See example above.Changing this updates the policy.
Deleting this removes the policy declared in Terraform. Any policy bindings associated with the project before Terraform was used are not deleted.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
-
email
- The e-mail address of the service account. This value should be referenced from anygoogle_iam_policy
data sources that would grant the service account privileges. -
name
- The fully-qualified name of the service account. -
unique_id
- The unique id of the service account.
Import
Service accounts can be imported using their URI, e.g.
$ terraform import google_service_account.my_sa projects/my-project/serviceAccounts/my-sa@my-project.iam.gserviceaccount.com