How do I create the workload identity IAM bindings in terraform?

Hey folks.

The workload identity docs have:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "[k8s-namespace/ksa-name]" \

Notice the trailing bit there. I cannot for the life of me figure out how to combine something like iam member with something else to come up with the equivalent command in TF.



Something like this should work @tibers. This is what I did. Keep in mind that this will wipe out anything else that you might have configured for it currently. Best to test it out on a test account to see how it works.

resource "google_service_account_iam_binding" "workload_identity_binding" {
  service_account_id =
  role = "roles/iam.workloadIdentityUser"
  members = [

This Doesn’t work. Throws error:


1 Like

service_account_id is the fully-qualified name of the service account to apply the policy to.