Cloud
Automating GCP IAM & Workload Identity
Managing complex IAM roles, custom role inheritance, and Workload Identity bindings using Terraform.
•
5 min read
Security as Code
In a multi-tenant AI platform, least-privilege access is critical. Using Terraform, we can iteratively build hierarchical custom roles and manage Service Account permissions efficiently.
Workload IdentityWorkload Identity allows Kubernetes Service Accounts to act as Google Service Accounts, eliminating the need to manage service account keys manually.
hcl
resource "google_service_account_iam_member" "workload_identity" {
service_account_id = "projects/${var.project_id}/serviceAccounts/${var.gsa_email}"
role = "roles/iam.workloadIdentityUser"
member = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.ksa_name}]"
}