我使用Terraform在GCP中创建了一个服务帐号和自定义角色。如何将此自定义角色附加到服务帐号?我可以使用GCP控制台来完成这个操作,但这里的需求是使用Terraform进行操作。以下是我用于创建服务帐号和自定义角色的代码片段,请参考。
resource "google_service_account" "mservice_infra_service_account" {
account_id = "mserviceinfra-service-account"
display_name = "Infrastructure Service Account"
}
resource "google_project_iam_custom_role" "mservice_infra_admin" {
role_id = "mservice_infra_admin"
title = "mservice_infra_admin"
description = "Infrastructure Administrator Custom Role"
permissions = ["compute.disks.create", "compute.firewalls.create", "compute.firewalls.delete", "compute.firewalls.get", "compute.instanceGroupManagers.get", "compute.instances.create", "compute.instances.delete", "compute.instances.get", "compute.instances.setMetadata", "compute.instances.setServiceAccount", "compute.instances.setTags", "compute.machineTypes.get", "compute.networks.create", "compute.networks.delete", "compute.networks.get", "compute.networks.updatePolicy", "compute.subnetworks.create", "compute.subnetworks.delete", "compute.subnetworks.get", "compute.subnetworks.setPrivateIpGoogleAccess", "compute.subnetworks.update", "compute.subnetworks.use", "compute.subnetworks.useExternalIp", "compute.zones.get", "container.clusters.create", "container.clusters.delete", "container.clusters.get", "container.clusters.update", "container.operations.get"]
}
如果有人能够找到一个基于Terraform的解决方案来解决这个问题,我们会非常感激。谢谢。
google_project_iam_member。角色属性可以简化为role = google_project_iam_custom_role.mservice_infra_admin.id。 - Matthew4.0.0,则需要定义 TF 资源google_project_iam_binding的属性 project,如下所示:resource "google_project_iam_binding" "mservice_infra_binding" { role = "projects/${data.google_project.project.project_id}/roles/${google_project_iam_custom_role.mservice_infra_admin.role_id}" project = data.google_project.project.project_id members = [ "serviceAccount:${google_service_account.mservice_infra_service_account.email}", ] }- Thomas B