yandex_iam_service_account_iam_policy (Resource)
IAM policy for a service account
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is used to add IAM policy bindings to a service account resource to configure permissions that define who can edit the service account.
There are three different resources that help you manage your IAM policy for a service account. Each of these resources is used for a different use case:
- yandex_iam_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
- yandex_iam_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
- yandex_iam_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role of the service account are preserved.
Warning
yandex_iam_service_account_iam_policy cannot be used in conjunction with yandex_iam_service_account_iam_binding and yandex_iam_service_account_iam_member or they will conflict over what your policy should be.
Warning
yandex_iam_service_account_iam_binding resources can be used in conjunction with yandex_iam_service_account_iam_member resources only if they do not grant privileges to the same role.
Example usage
//
// Create a new IAM Service Account IAM Policy.
//
data "yandex_iam_policy" "admin" {
binding {
role = "admin"
members = [
"userAccount:foobar_user_id",
]
}
}
resource "yandex_iam_service_account_iam_policy" "admin-account-iam" {
service_account_id = "aje5a**********qspd3"
policy_data = data.yandex_iam_policy.admin.policy_data
}
Arguments & Attributes Reference
id(String).policy_data(Required)(String). Required only byyandex_iam_service_account_iam_policy. The policy data generated by ayandex_iam_policydata source.service_account_id(Required)(String). The service account ID to apply a binding to.
Import
The resource can be imported by using their resource ID. For getting it you can use Yandex Cloud Web Console or Yandex Cloud CLI.
# terraform import yandex_iam_service_account_iam_policy.<resource Name> <resource Id>
terraform import yandex_iam_service_account_iam_policy.admin-account-iam aje5a**********qspd3