GCP service account for Pods

This module facilitates the creation of a GCP service account assigned with the “workLoadIdentityUser” role, along with other necessary roles. Additionally, it establishes a Kubernetes service account that assumes the identity of the GCP service account. This Kubernetes service account is meant to be associated with the pods within the GKE cluster.

This module performs the following actions:

  • Create a GCP service account assigned with “workLoadIdentityUser” role.

  • Add a list of IAM roles for the GCP service account.

  • Create a kubernetes service account associated with the GCP service account.

Requirements

Name

Version

terraform

>= 1.0

google

>= 4.75.0

kubernetes

>= 2.21.1

Providers

Name

Version

google

>= 4.75.0

kubernetes

>= 2.21.1

Modules

No modules.

Resources

Name

Type

google_project_iam_member.workload_identity_sa_bindings

resource

google_service_account.pods

resource

google_service_account_iam_member.pods

resource

kubernetes_service_account.pods

resource

google_client_config.current

data source

Inputs

Name

Description

Type

Default

Required

automount_service_account_token

To enable automatic mounting of the Kubernetes service account token.

bool

true

no

kubernetes_namespace

Namespace within which name of the service account must be unique.

string

"default"

no

name

Name of service account name.

string

n/a

yes

roles

A list of roles to be added to the created service account.

set(string)

[]

no

Outputs

Name

Description

kubernetes_service_account_name

Name of Kubernetes service account.

namespace

Namespace within which name of the service account must be unique.

service_account_email

The e-mail address of the GCP service account.

service_account_id

The ID of the GCP service account.

service_account_name

Name of GCP service account.

service_account_roles

The IAM roles associated with the GCP service account.

Examples