Skip to content

authorization_service_account_role_assignment.md

Latest commit

 

History

History
64 lines (49 loc) · 2.93 KB

authorization_service_account_role_assignment.md

File metadata and controls

64 lines (49 loc) · 2.93 KB
page_title stackit_authorization_service_account_role_assignment Resource - stackit
subcategory
description Service-account Role Assignment resource schema. ~> Important: Use this resource to grant 'Act-As' permissions. This allows a service-account (the subject) to impersonate the target Service Account. A common example is authorizing the SKE Service Account to act as a project-specific Service Account to access APIs. ~> This resource is part of the iam experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.

stackit_authorization_service_account_role_assignment (Resource)

Service-account Role Assignment resource schema.

~> Important: Use this resource to grant 'Act-As' permissions. This allows a service-account (the subject) to impersonate the target Service Account. A common example is authorizing the SKE Service Account to act as a project-specific Service Account to access APIs.

~> This resource is part of the iam experiment and is likely going to undergo significant changes or be removed in the future. Use it at your own discretion.

Example Usage

data "stackit_service_accounts" "ske_sa_suffix" {
  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  email_suffix = "@ske.sa.stackit.cloud"
}

resource "stackit_service_account" "iam" {
  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  name       = "kms"
}

resource "stackit_authorization_project_role_assignment" "pr_sa" {
  resource_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  role        = "kms.admin"
  subject     = stackit_service_account.iam.email
}

// Assign the Act-As permissions to the previously created ServiceAccount.
// The SKE ServiceAccount is now authorized to access KMS upon the behalf of stackit_service_account.iam
resource "stackit_authorization_service_account_role_assignment" "sa" {
  resource_id = stackit_service_account.iam.service_account_id
  role        = "user"
  subject     = data.stackit_service_accounts.ske_sa_suffix.items.0.email
}

# Only use the import statement, if you want to import an existing service account assignment
import {
  to = stackit_authorization_service_account_assignment.sa
  id = "${var.resource_id},${var.service_account_assignment_role},${var.service_account_assignment_subject}"
}

Schema

Required

  • resource_id (String) Service-account Resource to assign the role to.
  • role (String) Role to be assigned. Available roles can be queried using stackit-cli: stackit curl https://authorization.api.stackit.cloud/v2/permissions
  • subject (String) Identifier of user, service account or client. Usually email address or name in case of clients. All letters must be lowercased.

Read-Only

  • id (String) Terraform's internal resource identifier. It is structured as "resource_id,role,subject".