Skip to content

GCP IAM

Andy Potanin edited this page Jun 21, 2026 · 3 revisions

Grants a single IAM role to a member on a GCP project.

Use this module when a Rabbit service needs to bind an IAM role to a user or service account at the project level.

Supported Features

  • Project-level IAM member binding.
  • Any IAM role supported by GCP.

Prerequisites

  • GCP credentials with permission to manage IAM bindings on the target project.

Important Notes

  • This module creates a single google_project_iam_member resource. It does not replace other bindings for the same role.
  • user_email should be a full IAM member identifier, such as user:email@example.com or serviceAccount:sa@project.iam.gserviceaccount.com.
  • role defaults to roles/storage.objectAdmin when not specified.

Minimal Example

services:
  - name: "GCP IAM"
    module: "gcp-iam"
    id: "iam-binding"
    deployment_order: 50
    configurations:
      project: "my-project-id"
      user_email: "serviceAccount:worker@my-project-id.iam.gserviceaccount.com"
      role: "roles/cloudsql.client"

Outputs

Output Description
user_iam_binding The member and role that were bound.

Full Configuration Schema

This module uses Terraform variables directly instead of a YAML configurations block.

Field Type Required Description
project string Yes GCP project ID.
user_email string Yes IAM member identifier.
role string No IAM role to grant. Defaults to roles/storage.objectAdmin.

Clone this wiki locally