Service Accounts & IAM Bindings

gcp-service-accounts-iam

Service accounts with least-privilege project/resource IAM and optional Workload Identity Federation for keyless CI/CD (GitHub Actions). Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Secure defaults:

• No service-account keys, ever — external workloads federate via OIDC (WIF) and impersonate, instead of holding exportable credentials
• Basic roles (roles/owner, roles/editor) are rejected at plan time
• Project grants are additive (google_project_iam_member) — safe to compose with IAM managed elsewhere, no authoritative stomping
• WIF attribute_condition is required: multi-tenant issuers like GitHub would otherwise accept tokens from any org/repo on the platform
• Sensible GitHub Actions attribute mapping out of the box (subject, repository, repository_owner, ref)

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/google >= 7.0, < 8.0

Notes for integrators:

• wif_principals entries map to principalSet://.../<entry> members, e.g. attribute.repository/my-org/my-app (whole repo) — attributes must exist in attribute_mapping to be usable.
• The default issuer is GitHub Actions; point issuer_uri (plus your own attribute_mapping/attribute_condition) at GitLab, Bitbucket, etc.
• Deleted WIF pools/providers are soft-deleted for 30 days; re-creating with the same ID within that window fails — use a fresh pool_id or undelete.
• Granting roles on other resources (buckets, repos, …) belongs to those modules; feed them service_account_members.

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).