How do I create the workload identity IAM bindings in terraform?

Hey folks.

The workload identity docs have:

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "[k8s-namespace/ksa-name]" \

Notice the trailing bit there. I cannot for the life of me figure out how to combine something like iam member with something else to come up with the equivalent command in TF.


1 Like

Something like this should work @tibers. This is what I did. Keep in mind that this will wipe out anything else that you might have configured for it currently. Best to test it out on a test account to see how it works.

resource "google_service_account_iam_binding" "workload_identity_binding" {
  service_account_id =
  role = "roles/iam.workloadIdentityUser"
  members = [