How do I create the workload identity IAM bindings in terraform?

Hey folks.

The workload identity docs have:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:project-id.svc.id.goog[k8s-namespace/ksa-name]" \
  gsa-name@project-id.iam.gserviceaccount.com

Notice the trailing bit there. I cannot for the life of me figure out how to combine something like iam member with something else to come up with the equivalent command in TF.

Ideas?

1 Like

Something like this should work @tibers. This is what I did. Keep in mind that this will wipe out anything else that you might have configured for it currently. Best to test it out on a test account to see how it works.

resource "google_service_account_iam_binding" "workload_identity_binding" {
  service_account_id = google_service_account.service_account.name
  role = "roles/iam.workloadIdentityUser"
  members = [
    "serviceAccount:${var.project}.svc.id.goog[<namespace>/<ksa>]"
  ]