Terraform GCP IAM

iam.tf

resource "google_service_account" "sa" {
  account_id   = "my-service-account"
  display_name = "A service account that Jane can use, with some pubsub capabilities"
}

# Allow SA service account use of the default GCE account
# https://www.terraform.io/docs/providers/google/r/google_service_account_iam.html
resource "google_service_account_iam_member" "gce-default-account-iam" {
  service_account_id = data.google_compute_default_service_account.default.name
  role               = "roles/iam.serviceAccountUser"
  member             = "serviceAccount:${google_service_account.sa.email}"
}

# Give some role to a serviceaccount in a project - conditions are in BETA
# https://www.terraform.io/docs/providers/google/r/google_project_iam.html
resource "google_project_iam_member" "project" {
  project = "your-project-id"
  role    = "roles/editor"
  member  = "serviceAccount:${google_service_account.sa.email}"

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

# Most resources has IAM Settings as resources, for example pubsub subscriptions
# https://www.terraform.io/docs/providers/google/r/pubsub_subscription_iam.html
resource "google_pubsub_subscription_iam_member" "editor" {
  project     = "your-project"
  subscription = "your-subscription-name"
  role         = "roles/editor"
  member       = "serviceAccount:${google_service_account.sa.email}"
  #member       = "user:[email protected]"
  #member       = "group:[email protected]"
  #member       = "domain:[email protected]"
}