You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add option to attach roles/iam.serviceAccountOpenIdTokenCreator & roles/iam.serviceAccountTokenCreator just on the SA itself instead at the project level
Change field roles to roles_project_level to clarify these roles are granted at project level
Create optional list field roles_sa_level to clarify these roles are granted on the GCP Service account
roles_sa_level will allow only roles/iam.serviceAccountTokenCreator & roles/iam.serviceAccountOpenIdTokenCreator taken from https://cloud.google.com/iam/docs/service-account-permissions. roles/iam.serviceAccountUser not needed as the SA already has that role on itself. We'll use `validate` to check if the user provided list should not be greater than 2 and specifies one of the above 2 roles for each value.
We'll add a https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam#google_service_account_iam_member in https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/master/modules/workload-identity/main.tf and use for_each to attach these roles at the SA level.
Additional information
Our team faced the issue where we wanted to attach roles/iam.serviceAccountTokenCreator on the GCP SA itself but the roles field in workload-identity module gives roles to the SA at the project level which can be a security risk. We had to use this module to attach the role on the SA itself. It would be nice to have the option to specify roles on the SA itself within the workload-identity module.
Please let me know if this sounds good. If yes, I can start working on it.
Thanks!
The text was updated successfully, but these errors were encountered:
TL;DR
Add option to attach
roles/iam.serviceAccountOpenIdTokenCreator
&roles/iam.serviceAccountTokenCreator
just on the SA itself instead at the project levelTerraform Resources
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_iam
Detailed design
Additional information
Our team faced the issue where we wanted to attach
roles/iam.serviceAccountTokenCreator
on the GCP SA itself but theroles
field in workload-identity module gives roles to the SA at the project level which can be a security risk. We had to use this module to attach the role on the SA itself. It would be nice to have the option to specify roles on the SA itself within the workload-identity module.Please let me know if this sounds good. If yes, I can start working on it.
Thanks!
The text was updated successfully, but these errors were encountered: