This module allows easy creation of one or more service accounts, and granting them basic roles.
The resources/services/activations/deletions that this module will create/trigger are:
- one or more service accounts
- optional project-level IAM role bindings for each service account
- one optional billing IAM role binding per service account, at the organization or billing account level
- two optional organization-level IAM bindings per service account, to enable the service accounts to create and manage Shared VPC networks
- one optional service account key per service account
Basic usage of this module is as follows:
module "service_accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "~> 0.1"
project_id = "<PROJECT ID>"
prefix = ""
names = ["test-first", "test-second"]
project_roles = [
"project-foo=>roles/viewer",
"project-spam=>roles/storage.objectViewer",
]
}Functional examples are included in the examples directory.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| billing_account_id | If assigning billing role, specificy a billing account (default is to assign at the organizational level). | string | "" |
no |
| generate_keys | Generate keys for service accounts. | string | "false" |
no |
| grant_billing_role | Grant billing user role. | string | "false" |
no |
| grant_xpn_roles | Grant roles for shared VPC management. | string | "true" |
no |
| names | Names of the service accounts to create. | list | <list> |
no |
| org_id | Id of the organization for org-level roles. | string | "" |
no |
| prefix | Prefix applied to service account names. | string | "" |
no |
| project_id | Project id where service account will be created. | string | n/a | yes |
| project_roles | Common roles to apply to all service accounts, project=>role as elements. | list | <list> |
no |
| Name | Description |
|---|---|
| Service account email (single-use case). | |
| emails | Map of service account emails. |
| iam_email | IAM-format service account email (single-use case). |
| iam_emails | IAM-format service account emails. |
| keys | Map of service account keys. |
These sections describe requirements for using this module.
The following dependencies must be available:
- Terraform v0.11
- Terraform Provider for GCP plugin >= v2.0
Service account or user credentials with the following roles must be used to provision the resources of this module:
- Service Account Admin:
roles/iam.serviceAccountAdmin - roles needed to grant optional IAM roles at the project or organizational level
Refer to the contribution guidelines for information on contributing to this module.