GCP 允许 Kubernetes 服务帐户通过在两个服务帐户之间添加 IAM 策略绑定(bind)来模拟 IAM 服务帐户。此绑定(bind)允许 Kubernetes 服务账户充当 IAM 服务账户。
gcloud iam service-accounts add-iam-policy-binding GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]"
我们想通过 Terraform 资源创建相同的内容,我们尝试了这种方式,请引用:article
resource "google_service_account_iam_binding" "service-account-iam" {
service_account_id = "GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com"
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]",
]
}
但是我们收到以下错误:
Error: "service_account_id" ("[email protected]") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?))@[a-z]+.gserviceaccount.com$|[0-9]{1,20}[email protected]|a-z@[-a-z0-9\.]{1,63}\.iam\.gserviceaccount\.com$)"
这里出了什么问题?
最佳答案
service_account_id 是要应用策略的服务帐户的完全限定名称。
projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL
关于kubernetes - 如何在 Terraform 中创建 GCP 工作负载身份 IAM 绑定(bind)?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73330816/