想通过地形将多个IAM角色分配给单个服务帐户。准备了一个tf文件来执行此操作,但是发现一些错误,如果我使用单个角色,则可以成功分配该文件,但是当我尝试多个IAM角色时,它给出了一些错误。
data "google_iam_policy" "auth1" {
binding {
role = "roles/cloudsql.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
role = "roles/datastore.owner"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
}
您能帮我一下,如何针对一个服务帐户分配多个角色。
答案 0 :(得分:5)
每个文档配置必须具有一个或多个绑定块,每个绑定块都接受以下参数:....
您必须像这样重复绑定
data "google_iam_policy" "auth1" {
binding {
role = "roles/cloudsql.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
binding {
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
binding {
role = "roles/datastore.owner"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
binding {
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.service_account_1.email}",
]
}
}
使用gcloud命令也是一样,您一次只能在电子邮件列表中添加1个角色。