Google Cloud Platform IAM

This page shows how to write Terraform for Cloud Platform IAM and write them securely.

google_service_account_iam (Terraform)

The IAM in Cloud Platform can be configured in Terraform with the resource name google_service_account_iam. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


Explanation in Terraform Registry

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource, such as allowing the members to run operations as or modify the service account. To configure permissions for a service account on other GCP resources, use the google_project_iam set of resources. Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

    Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

    Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role. resource "google_service_account_iam_member" "gce-default-account-iam" { service_account_id = role = "roles/iam.serviceAccountUser" member = "serviceAccount:${}" }

With IAM Conditions:
resource "google_service_account" "sa" {
  account_id   = "my-service-account"
  display_name = "A service account that Jane can use"
resource "google_service_account_iam_member" "admin-account-iam" {
  service_account_id = "${}"
  role               = "roles/iam.serviceAccountUser"
  member             = ""
  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"

Tips: Best Practices for The Other Google Cloud Platform Resources

In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.



Ensure project-level default network creation is disabled

It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.

Review your Google Cloud Platform settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Frequently asked questions

What is Google Cloud Platform IAM?

Google Cloud Platform IAM is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.