This module allows easy creation of one or more service accounts, and granting them basic roles.
The resources/services/activations/deletions that this module will create/trigger are:
- one or more service accounts
- optional project-level IAM role bindings for each service account
- one optional billing IAM role binding per service account, at the organization or billing account level
- two optional organization-level IAM bindings per service account, to enable the service accounts to create and manage Shared VPC networks
- one optional service account key per service account
This module is meant for use with Terraform 0.12. If you haven't upgraded and need a Terraform 0.11.x-compatible version of this module, the last released version intended for Terraform 0.11.x is 0.1.1.
Basic usage of this module is as follows:
module "service_accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "~> 2.0"
project_id = "<PROJECT ID>"
prefix = "test-sa"
names = ["first", "second"]
project_roles = [
"project-foo=>roles/viewer",
"project-spam=>roles/storage.objectViewer",
]
}Functional examples are included in the examples directory.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| billing_account_id | If assigning billing role, specificy a billing account (default is to assign at the organizational level). | string | "" |
no |
| generate_keys | Generate keys for service accounts. | bool | "false" |
no |
| grant_billing_role | Grant billing user role. | bool | "false" |
no |
| grant_xpn_roles | Grant roles for shared VPC management. | bool | "true" |
no |
| names | Names of the service accounts to create. | list(string) | <list> |
no |
| org_id | Id of the organization for org-level roles. | string | "" |
no |
| prefix | Prefix applied to service account names. | string | "" |
no |
| project_id | Project id where service account will be created. | string | n/a | yes |
| project_roles | Common roles to apply to all service accounts, project=>role as elements. | list(string) | <list> |
no |
| Name | Description |
|---|---|
| Service account email (for single use). | |
| emails | Service account emails by name. |
| emails_list | Service account emails as list. |
| iam_email | IAM-format service account email (for single use). |
| iam_emails | IAM-format service account emails by name. |
| iam_emails_list | IAM-format service account emails as list. |
| key | Service account key (for single use). |
| keys | Map of service account keys. |
| service_account | Service account resource (for single use). |
| service_accounts | Service account resources as list. |
| service_accounts_map | Service account resources by name. |
These sections describe requirements for using this module.
The following dependencies must be available:
- Terraform v0.12
- Terraform Provider for GCP plugin >= v2.0
Service account or user credentials with the following roles must be used to provision the resources of this module:
- Service Account Admin:
roles/iam.serviceAccountAdmin - (optional) Service Account Key Admin:
roles/iam.serviceAccountAdminwhengenerate_keysis set totrue - (optional) roles needed to grant optional IAM roles at the project or organizational level
Refer to the contribution guidelines for information on contributing to this module.