» IAM policy for a service account

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is used to add IAM policy bindings to a service account resource to configure permissions that define who can edit the service account.

There are three different resources that help you manage your IAM policy for a service account. Each of these resources is used for a different use case:

yandex_iam_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
yandex_iam_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
yandex_iam_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role of the service account are preserved.

Note: yandex_iam_service_account_iam_policy cannot be used in conjunction with yandex_iam_service_account_iam_binding and yandex_iam_service_account_iam_member or they will conflict over what your policy should be.

Note: yandex_iam_service_account_iam_binding resources can be used in conjunction with yandex_iam_service_account_iam_member resources only if they do not grant privileges to the same role.

» yandex_service_account_iam_policy

data "yandex_iam_policy" "admin" {
  binding {
    role = "admin"

    members = [
      "userAccount:foobar_user_id",
    ]
  }
}

resource "yandex_iam_service_account_iam_policy" "admin-account-iam" {
  service_account_id = "your-service-account-id"
  policy_data        = "${data.yandex_iam_policy.admin.policy_data}"
}

» Argument Reference

The following arguments are supported:

service_account_id - (Required) The service account ID to apply a policy to.
members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
- userAccount:{user_id}: A unique user ID that represents a specific Yandex account.
- serviceAccount:{service_account_id}: A unique service account ID.
role - (Required) The role that should be applied. Only one yandex_iam_service_account_iam_binding can be used per role.
policy_data - (Required only by yandex_iam_service_account_iam_policy) The policy data generated by a yandex_iam_policy data source.

» Import

Service account IAM policy resources can be imported using the service account ID.

$ terraform import yandex_iam_service_account_iam_policy.admin-account-iam service_account_id