I have a service account that Terraform uses to manage my cloud resources (let's call it resource-manager-sa). I want it to be able to create/edit/delete other service accounts, but I don't want it to elevate its own permissions.
I know I could use google_service_account_iam_member (as I have seen in other StackOverflow question) to allow access to other service accounts e.g.
resource "google_service_account_iam_member" "admin-account-iam" {
service_account_id = google_service_account.resource_manager_sa.name
role = "roles/iam.serviceAccountUser"
member = "serviceAccount:${google_service_account.other_sa.email}"
}
but that would require me to define all service accounts that I want the resource-manager-sa to manage. Instead I wanted to add access to all service accounts by default, but only disable access to itself (so that when I create new service accounts, I know Terraform will be able to manage them).
My initial idea was to use IAM conditions, something like (it's not going to work):
resource "google_project_iam_member" "service-account" {
project = var.project
role = "roles/iam.serviceAccountAdmin"
member = "serviceAccount:${google_service_account.resource-manager-sa.email}"
condition {
title = "Cannot manage itself"
expression = "!resource.name.startsWith('resource-manager-sa@')"
}
}
However, I couldn't find anything that suggest that this is possible in the documentation: https://cloud.google.com/iam/docs/conditions-resource-attributes
Is something like this achievable, and also is something like this recommendable or would you consider it a bad practice?