使用 Terraform 创建具有 IAM 角色的服务帐户 [英] Using Terraform to create a service account with IAM roles
问题描述
我正在尝试使用 Terraform 的 roles/logging.logWriter IAM 角色创建一个基本服务帐户.以下是我的配置方式:
I am trying to create a basic Service Account with the roles/logging.logWriter IAM role with Terraform. Below is how I have configured this:
resource "google_service_account" "log_user" {
account_id = "log-user"
display_name = "Logging User"
}
data "google_iam_policy" "log_policy" {
binding {
role = "roles/logging.logWriter"
members = [
"serviceAccount:${google_service_account.log_user.email}"
]
}
}
resource "google_service_account_iam_policy" "log_user_policy" {
service_account_id = "${google_service_account.log_user.name}"
policy_data = "${data.google_iam_policy.log_policy.policy_data}"
}
运行 terraform apply 时,我收到以下错误消息:
When running terraform apply I am receiving the following error message:
* module.iam.google_service_account_iam_policy.log_user_policy: 1 error(s) occurred:
* google_service_account_iam_policy.log_user_policy: Error setting IAM policy for service account 'projects/arcadia-apps-237918/serviceAccounts/log-user@arcadia-apps-237918.iam.gserviceaccount.com': googleapi: Error 400: Role roles/logging.logWriter is not supported for this resource., badRequest
从我所做的挖掘中,我似乎无法找到关于如何创建服务帐户然后为其附加角色的明确解释.
From the digging I've done I can't seem to find a clear cut explanation on how to create a Service Account and then attach a role to it.
推荐答案
我通过以下方式解决了这个问题:
I resolved this by doing the following:
resource "google_service_account" "log_user" {
account_id = "log-user"
display_name = "Logging User"
}
resource "google_project_iam_binding" "log_user" {
project = "arcadia-apps-237918"
role = "roles/logging.logWriter"
members = [
"serviceAccount:${google_service_account.log_user.email}"
]
}
运行 terraform 的用户需要分配给他们的 IAM 管理员角色,然后您才能执行此操作.
The user running terraform needs to have the IAM Admin role assigned to them before you can do this.
这篇关于使用 Terraform 创建具有 IAM 角色的服务帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
