yandex_iam_service_account_iam_policy (Resource)
IAM policy for a service account
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is used to add IAM policy bindings to a service account resource to configure permissions that define who can edit the service account.
There are three different resources that help you manage your IAM policy for a service account. Each of these resources is used for a different use case:
- yandex_iam_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
- yandex_iam_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
- yandex_iam_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role of the service account are preserved.
Warning
yandex_iam_service_account_iam_policy cannot be used in conjunction with yandex_iam_service_account_iam_binding and yandex_iam_service_account_iam_member or they will conflict over what your policy should be.
Warning
yandex_iam_service_account_iam_binding resources can be used in conjunction with yandex_iam_service_account_iam_member resources only if they do not grant privileges to the same role.
Example usage
//
// Create a new IAM Service Account IAM Policy.
//
data "yandex_iam_policy" "admin" {
binding {
role = "admin"
members = [
"userAccount:foobar_user_id",
]
}
}
resource "yandex_iam_service_account_iam_policy" "admin-account-iam" {
service_account_id = "aje5a**********qspd3"
policy_data = data.yandex_iam_policy.admin.policy_data
}
Schema
Required
policy_data(String) Required only byyandex_iam_service_account_iam_policy. The policy data generated by ayandex_iam_policydata source.service_account_id(String) The service account ID to apply a binding to.
Optional
timeouts(Block, Optional) (see below for nested schema)
Read-Only
id(String) The ID of this resource.
Nested Schema for timeouts
Optional:
default(String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
Import
The resource can be imported by using their resource ID. For getting the resource ID you can use Yandex Cloud Web Console or YC CLI.
# terraform import yandex_iam_service_account_iam_policy.<resource Name> <resource Id>
terraform import yandex_iam_service_account_iam_policy.admin-account-iam aje5a**********qspd3