Google Cloud Platform Service Account
This page shows how to write Terraform for Cloud Platform Service Account and write them securely.
google_service_account (Terraform)
The Service Account in Cloud Platform can be configured in Terraform with the resource name google_service_account. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_service_account" "terraform" {
account_id = "terraform"
display_name = "terraform"
}
resource "google_service_account" "pubsub" {
resource "google_service_account" "register-buid" {
account_id = "register-buid"
display_name = "register-buid firebase function service account"
}
resource "google_service_account" "is-buid-active" {
resource "google_service_account" "register-buid" {
account_id = "register-buid"
display_name = "register-buid firebase function service account"
}
resource "google_service_account" "is-buid-active" {
Parameters
-
account_idrequired - string
The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression a-z to comply with RFC1035. Changing this forces a new service account to be created.
-
descriptionoptional - string
A text description of the service account. Must be less than or equal to 256 UTF-8 bytes.
-
display_nameoptional - string
The display name for the service account. Can be updated without creating a new resource.
-
emailoptional computed - string
The e-mail address of the service account. This value should be referenced from any google_iam_policy data sources that would grant the service account privileges.
The fully-qualified name of the service account.
-
projectoptional computed - string
The ID of the project that the service account will be created in. Defaults to the provider project configuration.
-
unique_idoptional computed - string
The unique id of the service account.
Explanation in Terraform Registry
Allows management of a Google Cloud service account.
- API documentation
- How-to Guides
- Official Documentation ->Warning: If you delete and recreate a service account, you must reapply any IAM roles that it had before. -> Creation of service accounts is eventually consistent, and that can lead to errors when you try to apply ACLs to service accounts immediately after creation. If using these resources in the same config, you can add a
sleepusinglocal-exec.
Tips: Best Practices for The Other Google Cloud Platform Resources
In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_project
Ensure project-level default network creation is disabled
It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.
Frequently asked questions
What is Google Cloud Platform Service Account?
Google Cloud Platform Service Account is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud Platform Service Account?
For Terraform, the jkkitakita/my-terraform, covid19cz/erouska-firebase and covid19cz/erouska-firebase source code examples are useful. See the Terraform Example section for further details.
