Search code examples

How to create the GCP workload identity IAM bindings in Terraform?

GCP allows the Kubernetes service account to impersonate the IAM service account by adding an IAM policy binding between the two service accounts. This binding allows the Kubernetes service account to act as the IAM service account.

gcloud iam service-accounts add-iam-policy-binding \
    --role roles/iam.workloadIdentityUser \
    --member "[NAMESPACE/KSA_NAME]"

We would like to create the same via Terraform resource and we tried this way, refer: article

resource "google_service_account_iam_binding" "service-account-iam" {
  service_account_id = ""
  role               = "roles/iam.workloadIdentityUser"
  members = [

But we received the below error:

Error: "service_account_id" ("") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?))@[a-z]$|[0-9]{1,20}|a-z@[-a-z0-9\.]{1,63}\.iam\.gserviceaccount\.com$)"

What's wrong here?


  • service_account_id is the fully-qualified name of the service account to apply the policy to.
