I have a service account that Terraform uses to manage my cloud resources, let's call it resource-manager-sa. I need to give it enough access to create/delete/edit other service accounts but not to be able to change itself or other SAs in the project that it isn't supposed to touch.
I tried adding a condition there but it seems like 'service accounts' are not one of the types of resources that you can use in conditions (?). Here's my HCL snippet for binding that role (the fact that I'm using Terraform is irrelevant here):
resource "google_project_iam_member" "service-account" {
project = var.project
role = "roles/iam.serviceAccountAdmin"
member = "serviceAccount:${google_service_account.resource-manager-sa.email}"
condition {
title = "Can manage Blah Blah SA"
expression = "resource.name.extract('/serviceAccounts/{name}').startsWith('blah-blah@')"
}
}
When I remove the condition everything works but resource-manager-sa has far more permissions than it needs. It can even modify itself to escalate its own privileges. After I add the condition, boom, it cannot access any service accounts:
Error: Error when reading or editing Service Account
"projects/***/serviceAccounts/blah-blah@***.iam.gserviceaccount.com": googleapi: Error 403: Permissioniam.serviceAccounts.getis required to perform this operation on service accountprojects/***/serviceAccounts/blah-blah@***.iam.gserviceaccount.com., forbidden
I feel like I'm doing something fundamentally wrong here but I cannot find a good example configuration that does what I'm trying to achieve here.
Service Accounts are also a resource. As such, you can assign IAM permissions for identities at the service account level instead of at the project level. This means you can create a service account with no permissions/roles and grant that service account permissions to another service account.
Using Terraform review the google_service_account_iam_member resource. This will provide you with the granularity that you asked about and not allow escalation of privilege.