Clarify documentation around service_account_id expected value for google_service_account_iam_* resources

[walterdolce]

The documentation says:

service_account_id - (Required) The service account id to apply policy to.

And that is all fine. But when it comes to having something like the following:

resource "google_service_account" "k8s_cluster_service_account" {
  account_id   = "${var.k8s_cluster_service_account_id}"
  display_name   = "${var.k8s_cluster_service_display_name}"
}

resource "google_service_account_iam_member" "k8s_cluster_service_account_log_writer" {
  service_account_id = "${google_service_account.k8s_cluster_service_account.account_id}"
  role        = "roles/logging.logWriter"
  member      = "serviceAccount:${google_service_account.k8s_cluster_service_account.email}"
}

resource "google_service_account_iam_member" "k8s_cluster_service_account_metric_writer" {
  service_account_id = "${google_service_account.k8s_cluster_service_account.account_id}"
  role        = "roles/monitoring.metricWriter"
  member      = "serviceAccount:${google_service_account.k8s_cluster_service_account.email}"
}

resource "google_service_account_iam_member" "k8s_cluster_service_account_monitoring_viewer" {
  service_account_id = "${google_service_account.k8s_cluster_service_account.id}"
  role        = "roles/monitoring.viewer"
  member      = "serviceAccount:${google_service_account.k8s_cluster_service_account.email}"
}

resource "google_service_account_iam_member" "k8s_cluster_service_account_storage_object_viewer" {
  service_account_id = "${google_service_account.k8s_cluster_service_account.account_id}"
  role        = "roles/storage.objectViewer"
  member      = "serviceAccount:${google_service_account.k8s_cluster_service_account.email}"
}

This would fail because:

"service_account_id" ("whatever-the-id") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?))/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?))@appspot.gserviceaccount.com|[0-9]{1,20}[email protected]|a-z@[-a-z0-9\.]{1,63}\.iam\.gserviceaccount\.com$)"

As you can see I naturally went for using account_id. Little did I know I had to just use id.

This took me a bit of time away just to understand what I was doing wrong. It shouldn't happen.

Do you think the documentation would clearly state that the id, rather than account_id or unique_id is expected to be set in service_account_id?

I'm happy to send a PR for this so that this gets off your shoulders.

Thank you.

[walterdolce]

BTW, the code above doesn't even work. Most probably because either the docs are lying, the code is broken or both.

The above produces the following:

* google_service_account_iam_member.k8s_cluster_service_account_monitoring_viewer: Error applying IAM policy for service account 'projects/the-project/serviceAccounts/[email protected]': Error setting IAM policy for service account 'projects/the-project/serviceAccounts/[email protected]': googleapi: Error 400: Role roles/monitoring.viewer is not supported for this resource., badRequest

* google_service_account_iam_member.k8s_cluster_service_account_storage_object_viewer: Error applying IAM policy for service account 'projects/the-project/serviceAccounts/[email protected]': Error setting IAM policy for service account 'projects/the-project/serviceAccounts/[email protected]': googleapi: Error 400: Role roles/storage.objectViewer is not supported for this resource., badRequest

* google_service_account_iam_member.k8s_cluster_service_account_metric_writer: Error applying IAM policy for service account 'projects/the-project/serviceAccounts/[email protected]': Error setting IAM policy for service account 'projects/the-project/serviceAccounts/[email protected]': googleapi: Error 400: Role roles/monitoring.metricWriter is not supported for this resource., badRequest

* google_service_account_iam_member.k8s_cluster_service_account_log_writer: Error applying IAM policy for service account 'projects/the-project/serviceAccounts/[email protected]': Error setting IAM policy for service account 'projects/the-project/serviceAccounts/[email protected]': googleapi: Error 400: Role roles/logging.logWriter is not supported for this resource., badRequest

The provider version is the latest, 1.18.0

[walterdolce]

I ended up using google_project_iam_member.

[sergei-ivanov]

@walterdolce your example would not work, and in your case google_project_iam_member was indeed the correct resource to use.
You tried to use k8s_cluster_service_account as both a resource and an identity (both GCP and Terraform documentation explain the difference pretty well). So you were effectively trying to say "grant k8s_cluster_service_account a roles/logging.logWriter role over itself". And when you read it this way it does not make much sense. AFAIK the only possible roles that it is possible to grant on service account resources are roles/iam.serviceAccountXXXXX roles. For example, you can grant another member (a user, a group or another service account) roles/iam.serviceAccountUser role over your service account, so that they can "run as" your service account.
If you want to grant a certain project role (e.g. roles/logging.logWriter) to your service account, you use project IAM bindings.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!