How Do I Provision a GCP Service Account IAM Binding With Pulumi?

Introduction

This guide provides a comprehensive walkthrough on how to create a Google Cloud Platform (GCP) service account and configure an IAM binding using Pulumi. By following these steps, you’ll be able to define specific permissions for your service accounts, aligning with the principle of least privilege. This ensures that service accounts have access only to the resources they need.

Objective

We will demonstrate how to create a service account and assign the roles/storage.admin role, which grants the service account the ability to manage Cloud Storage buckets and objects.

Step-by-step Guide

1. Define the provider: Specify the GCP project and region to set the context for resource creation.
2. Create the service account: Define the service account’s name and description.
3. Set the IAM binding: Assign a specific IAM role to the service account.
4. Outputs: Export the service account email and name for integration with other configurations or scripts.

Code Example

Here is the complete configuration in TypeScript:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myServiceAccount = new gcp.serviceaccount.Account("my_service_account", {
    accountId: "my-service-account",
    displayName: "My Service Account",
});
const saStorageAdmin = new gcp.projects.IAMBinding("sa_storage_admin", {
    project: "your-gcp-project-id",
    role: "roles/storage.admin",
    members: [pulumi.interpolate`serviceAccount:${myServiceAccount.email}`],
});
export const serviceAccountEmail = myServiceAccount.email;
export const serviceAccountName = myServiceAccount.name;

Key Points

• Provider Configuration: Sets up the GCP provider with the necessary project ID and region.
• Service Account Creation: Utilizes the gcp.serviceaccount.Account resource to create a new service account.
• IAM Role Assignment: Uses the gcp.projects.IAMBinding resource to assign the roles/storage.admin role.
• Output Information: Provides the email and name of the created service account for further use.

Conclusion

In conclusion, this guide illustrates how to set up a service account in GCP and bind it to an IAM role using Pulumi. By exporting the service account’s email and name, you can seamlessly integrate this setup into other parts of your cloud infrastructure. This approach ensures your service accounts are granted the necessary permissions without over-provisioning, adhering to best security practices.