How do I provision a GCP service account IAM binding with Pulumi?
In this guide, we’ll walk through the process of creating a Google Cloud Platform (GCP) service account and setting an IAM binding to it. This is useful for defining specific permissions for your service accounts to ensure they can access the resources they need while maintaining the principle of least privilege.
We’ll create a service account and assign the roles/storage.admin
role to it. This role allows the service account to manage Cloud Storage buckets and objects.
Step-by-step
- Define the provider: This specifies the GCP project and region.
- Create the service account: Define the name and description.
- Set the IAM binding: Assign a specific role to the service account.
- Outputs: Export the service account email and name for use in other parts of your configuration or scripts.
Here is the complete configuration in HCL:
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const myServiceAccount = new gcp.serviceaccount.Account("my_service_account", {
accountId: "my-service-account",
displayName: "My Service Account",
});
const saStorageAdmin = new gcp.projects.IAMBinding("sa_storage_admin", {
project: "your-gcp-project-id",
role: "roles/storage.admin",
members: [pulumi.interpolate`serviceAccount:${myServiceAccount.email}`],
});
export const serviceAccountEmail = myServiceAccount.email;
export const serviceAccountName = myServiceAccount.name;
Explanation
- Provider Block: This block configures the GCP provider with your project ID and region.
- Service Account Resource: The
google_service_account
resource creates a new service account with the specifiedaccount_id
anddisplay_name
. - IAM Binding Resource: The
google_project_iam_binding
resource assigns theroles/storage.admin
role to the service account. - Output Variables: These output the email and name of the created service account, which can be used in other configurations or referenced by users.
In summary, this program creates a GCP service account and assigns it the roles/storage.admin
IAM role, with the outputs providing the details of the created service account.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.