terraform-google-modules/terraform-google-iam

Workload Identity Binding Issue

akath19 opened this issue · 2 comments

akath19 commented

Hhey,

I'm trying to add bindings to service accounts for Workload Identity through the module in the following way:

module "vault_service_account" {
  source  = "terraform-google-modules/service-accounts/google"
  version = "2.0.2"

  # Project to create service account in
  project_id = data.terraform_remote_state.project_in_scope.outputs.project_id

  names = [
    "${var.project_prefix}-vault"
  ]

  #Service account should only have permissions for KMS (encryption keys) & storage
  project_roles = [
    "${data.terraform_remote_state.project_in_scope.outputs.project_id}=>roles/cloudkms.cryptoKeyEncrypterDecrypter",
    "${data.terraform_remote_state.project_in_scope.outputs.project_id}=>roles/storage.objectAdmin"
  ]
}
module "vault_iam_service_accounts_iam" {
  source  = "terraform-google-modules/iam/google//modules/service_accounts_iam"
  version = "6.1.0"

  service_accounts = [
    module.vault_service_account.email
  ]

  project = data.terraform_remote_state.project_in_scope.outputs.project_id

  mode = "authoritative"

  bindings = {
    "roles/iam.workloadIdentityUser" = [
      "serviceAccount:${data.terraform_remote_state.project_in_scope.outputs.project_id}.svc.id.goog[vault/services]"
    ]
  }
}

When I try running this, I'm getting the following error:

Error: Error applying IAM policy for service account 'projects/reference-cde-47d5/serviceAccounts/reference-loki@reference-cde-47d5.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/reference-cde-47d5/serviceAccounts/reference-loki@reference-cde-47d5.iam.gserviceaccount.com': googleapi: Error 400: Identity namespace does not exist (reference-cde-47d5.svc.id.goog)., badRequest

  on .terraform/modules/loki_iam_service_accounts_iam/terraform-google-iam-6.1.0/modules/service_accounts_iam/main.tf line 30, in resource "google_service_account_iam_binding" "service_account_iam_authoritative":     
  30: resource "google_service_account_iam_binding" "service_account_iam_authoritative" {

What I find weird (and the reason I'm creating the issue) is that if I run the gcloud equivalent:
gcloud iam service-accounts add-iam-policy-binding --role roles/iam.workloadIdentityUser --member "serviceAccount:reference-cde-47d5.svc.id.goog[vault/services]" reference-vault@reference-cde-47d5.iam.gserviceaccount.com

Everything works successfully:

Updated IAM policy for serviceAccount [reference-vault@reference-cde-47d5.iam.gserviceaccount.com].
bindings:
- members:
  - serviceAccount:reference-cde-47d5.svc.id.goog[vault/services]
  role: roles/iam.workloadIdentityUser
etag: BwWmLtVTJtE=
version: 1

Finally, I also checked that the Identity namespace is correctly created when creating the cluster and the SA/binding combo are created after the cluster is finished creating.

My question is, do I have to do some specific configuration inside the module or is there an underlying issue that might be preventing this? (both the SA and the binding are created in the same terraform file and the SA is guaranteed to be created first via depends_on in the outputs).

morgante commented

Could you possibly share the Terraform debug logs?

github-actions commented

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days