1. Answers
  2. Provision a GCP Service Account IAM Binding

How do I provision a GCP service account IAM binding with Pulumi?

In this guide, we’ll walk through the process of creating a Google Cloud Platform (GCP) service account and setting an IAM binding to it. This is useful for defining specific permissions for your service accounts to ensure they can access the resources they need while maintaining the principle of least privilege.

We’ll create a service account and assign the roles/storage.admin role to it. This role allows the service account to manage Cloud Storage buckets and objects.

Step-by-step

  1. Define the provider: This specifies the GCP project and region.
  2. Create the service account: Define the name and description.
  3. Set the IAM binding: Assign a specific role to the service account.
  4. Outputs: Export the service account email and name for use in other parts of your configuration or scripts.

Here is the complete configuration in HCL:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myServiceAccount = new gcp.serviceaccount.Account("my_service_account", {
    accountId: "my-service-account",
    displayName: "My Service Account",
});
const saStorageAdmin = new gcp.projects.IAMBinding("sa_storage_admin", {
    project: "your-gcp-project-id",
    role: "roles/storage.admin",
    members: [pulumi.interpolate`serviceAccount:${myServiceAccount.email}`],
});
export const serviceAccountEmail = myServiceAccount.email;
export const serviceAccountName = myServiceAccount.name;

Explanation

  • Provider Block: This block configures the GCP provider with your project ID and region.
  • Service Account Resource: The google_service_account resource creates a new service account with the specified account_id and display_name.
  • IAM Binding Resource: The google_project_iam_binding resource assigns the roles/storage.admin role to the service account.
  • Output Variables: These output the email and name of the created service account, which can be used in other configurations or referenced by users.

In summary, this program creates a GCP service account and assigns it the roles/storage.admin IAM role, with the outputs providing the details of the created service account.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up