Skip to content

Files

Latest commit

 

History

History
36 lines (26 loc) · 831 Bytes

google-iam-no-folder-level-default-service-account-assignment.md

File metadata and controls

36 lines (26 loc) · 831 Bytes

Pattern: Roles assigned to default service account for Google IAM

Issue: -

Description

Default service accounts should not be used - consider creating specialised service accounts for individual purposes.

Resolution: Use specialised service accounts for specific purposes.

Examples

Example of incorrect code:

resource "google_folder_iam_member" "folder-123" {
	folder = "folder-123"
	role    = "roles/whatever"
	member  = "123-compute@developer.gserviceaccount.com"
}

Example of correct code:

resource "google_service_account" "test" {
	account_id   = "account123"
	display_name = "account123"
}
			  
resource "google_folder_iam_member" "folder-123" {
	folder = "folder-123"
	role    = "roles/whatever"
	member  = "serviceAccount:${google_service_account.test.email}"
}