GCP允许Kubernetes服务帐户通过在两个服务帐户之间添加IAM策略绑定来模拟IAM服务帐户。此绑定允许Kubernetes服务帐户充当IAM服务帐户。
gcloud iam service-accounts add-iam-policy-binding GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com
--role roles/iam.workloadIdentityUser
--member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]"
我们想通过Terraform资源创建相同的,我们尝试了这种方式,参考:文章
resource "google_service_account_iam_binding" "service-account-iam" {
service_account_id = "GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com"
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]",
]
}
但我们收到了以下错误:
错误:"service_account_id";(";XXX@XXX.iam.gserviceaccount.com"(与regexp不匹配"项目/(?:(?:[-a-z0-9]{1,63}\.((?:a-z?(:(?(?:[0-9]{1,19}|(?:a-z0-9?(|-(/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\.((?:a-z?(:(?(?:[0-9]{1,19}|(?:a-z0-9?((@[a-z]+.gserviceaccount.com$|[0-9]{1,20}-compute@developer.gserviceaccount.com|a-z@[-a-z0-9\.]{1,63}\.iam\.gserviceaccount\.com$(">
这里出了什么问题?
service_account_id是要应用策略的服务帐户的完全限定名称。
projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL