Conditional binding for Service Account roles

Question

Conditional binding for Service Account roles

minzetaos opened this issue a year ago · 6 comments

TL;DR

The submodule ~~member-iam~~ service_accounts_iam doesn't support conditional binding, which is inconvenient for managing service account's permission through Terraform. Do you guys consider updating the module?

Terraform Resources

Add condition block to main.tf for resource "google_project_iam_member"

Detailed design

No response

Additional information

No response

Answer 1 · 2023-08-24T03:05:40.000Z

Can you plz elaborate which sub-module is missing conditional support?

Answer 2 · 2023-08-24T22:22:39.000Z

It's the service_accounts_iam module. It has conditional block for its principles, but look like it doesn't have conditional block for its own permission, which should involve this resource google_project_iam_member or google_organization_iam_member

Answer 3 · 2023-08-28T15:25:22.000Z

@minzetaos purpose of service account IAM module is to grant permission on the service account. It is granting permission to service account on project or organization.

Answer 4 · 2023-08-28T16:34:22.000Z

@imrannayer But wouldn't it be better and more common sense that service account module also includes granting service account permission to resources? Otherwise, users have to use two modules to control one service account.

Answer 5 · 2023-08-28T17:21:27.000Z

@minzetaos These are two separate use cases and thats why handled by separate module. You can write a wrapper module which calls both modules to combine the functionality if you have a repetitive use case.

Answer 6 · 2023-10-27T23:15:34.000Z

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days