GCP IAM Role to Service Binding

safaci2000 · August 25, 2020, 9:46pm

I’m somewhat new to GCP but I in the console i can easily create a new service and grant it a pre-existing role.

I’ve been trying to use something like this:


resource "google_service_account" "sa" {
  account_id   = "docker-logger-service"
  display_name = "Service Record Container Logs to Google Cloud"
}


resource "google_service_account_iam_binding" "admin-account-iam" {
  service_account_id = google_service_account.sa.name
  role               = "roles/logging.admin"

  members = [
    "serviceAccount:${google_service_account.sa.email}"
  ]
}

The google_service_account_iam_binding confuses me. I’m trying to grant a right to an entity, so it feels like either service_account_id or members isn’t needed but they’re both required.

According to the google docs, the equivalent CLI command is this:

gcloud projects add-iam-policy-binding projectName --member=serviceAccount:myServiceID@appspot.gserviceaccount.com --role=roles/cloudbuild.builds.viewer

What am I missing?

tunaluna94 · October 26, 2020, 4:16pm

Hi, a little confused what you’re asking in your .tf file you’re giving the service account the role = "roles/logging.admin.

In the gcloud command youre trying to give the service account the role =roles/cloudbuild.builds.viewer

Remember service accounts can be treated both as an identity and resource which makes then odd at times.

Here is some documentation that might help https://cloud.google.com/iam/docs/understanding-service-accounts