How do I create the workload identity IAM bindings in terraform?

Hey folks.

The workload identity docs have:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:project-id.svc.id.goog[k8s-namespace/ksa-name]" \
  gsa-name@project-id.iam.gserviceaccount.com

Notice the trailing bit there. I cannot for the life of me figure out how to combine something like iam member with something else to come up with the equivalent command in TF.

Ideas?

2 Likes

Something like this should work @tibers. This is what I did. Keep in mind that this will wipe out anything else that you might have configured for it currently. Best to test it out on a test account to see how it works.

resource "google_service_account_iam_binding" "workload_identity_binding" {
  service_account_id = google_service_account.service_account.name
  role = "roles/iam.workloadIdentityUser"
  members = [
    "serviceAccount:${var.project}.svc.id.goog[<namespace>/<ksa>]"
  ]

This Doesn’t work. Throws error:

projects/(?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?))@[a-z]+.gserviceaccount.com$|[0-9]{1,20}-compute@developer.gserviceaccount.com|a-z@[-a-z0-9\.]{1,63}\.iam\.gserviceaccount\.com$

1 Like

service_account_id is the fully-qualified name of the service account to apply the policy to.

projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL