IAM policy for container-engine-robot.iam.gserviceaccount.com appears out of the void #214
Comments
|
FWIW, for some of my GCP projects, I've received a notification email about Google adding said service account. This service account will be used by Container Engine to manage cluster resources in the project on your behalf. Do not remove/modify this service account if you are using the Container Engine API. Note that the service account will be automatically added back if you disable/enable the Container Engine API. |
|
There are two ways to handle this:
|
|
@danawillow thanks for the insights! For now, I've worked around the issue by changing the datasource to: # var.data_project_service_accounts contains:
# [
# '***@cloudservices.gserviceaccount.com',
# '***[email protected]',
# ]
#
# var.project_id contains the numeric Google Cloud Project ID
data "google_iam_policy" "default" {
binding {
role = "roles/pubsub.editor"
members = "${formatlist("serviceAccount:%s", var.data_project_service_accounts)}"
}
# Cloudsql proxy service account:
binding {
role = "roles/cloudsql.client"
members = [
"serviceAccount:***@***.iam.gserviceaccount.com",
]
}
# The following binding is always re-enabled by Google, see:
# https://github.com/terraform-providers/terraform-provider-google/issues/214
binding {
role = "roles/container.serviceAgent"
members = [
"serviceAccount:service-${var.project_id}@container-engine-robot.iam.gserviceaccount.com",
]
}
}On the long run I would of course prefer the solution of #171 but the current workaround is also fine for now. Hence I'll close this issue. Thanks again for the support! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
Terraform Version
0.9.5 (but tested with 0.9.11 as well)
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
I'm using the
google_iam_policydata source to specify the IAM policies on a gcloud project which is managed 100% through terraform. I'm using container engine in this project.When I ran
terraform planon this project again yesterday (the previous terraform run was some weeks before) I received several diffs which appeared out of the void.Here's the output:
Here's a nicer version of the interesting diff:
{ bindings: [ { members: [ + "serviceAccount:***[email protected]" "serviceAccount:***@cloudservices.gserviceaccount.com" - "serviceAccount:***[email protected]" ] } ... + { + members: [ + "serviceAccount:service-***@container-engine-robot.iam.gserviceaccount.com" + ] + role: "roles/container.serviceAgent" + } ] }While I don't really care about the re-ordering of the members in the first binding, I'm wondering where the
container-engine-robot.iam.gserviceaccount.comservice account came from?I assume it was created automatically by Google Cloud.
My major question is: How to deal with such a situation? So far I haven't seen a negative impact in simply removing that IAM policy by running
terraform apply. However I assume that Google Cloud doesn't create these service accounts just for fun and I'm wondering if it would automatically re-create them in case it really needs them?!I recall hashicorp/terraform#13004 where there was a similar issue with Google Cloud APIs being enabled out of control of terraform. Is this a similar situation here (and would there be a similar solution)?
The text was updated successfully, but these errors were encountered: