Menu
GCP allows the Kubernetes service account to impersonate the IAM service account by adding an IAM policy binding between the two service accounts. This binding allows the Kubernetes service account to act as the IAM service account.
gcloud iam service-accounts add-iam-policy-binding GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]"
We would like to create the same via Terraform resource and we tried this way, refer: article
resource "google_service_account_iam_binding" "service-account-iam" {
service_account_id = "GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com"
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]",
]
}
But we received the below error:
Error: "service_account_id" ("[email protected]") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?))@[a-z]+.gserviceaccount.com$|[0-9]{1,20}[email protected]|a-z@[-a-z0-9\.]{1,63}\.iam\.gserviceaccount\.com$)"
What's wrong here?
650
service_account_id is the fully-qualified name of the service account to apply the policy to.
projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL
169
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
