Skip to content

Commit

Permalink
fix: grant apply serviceAccountTokenCreator
Browse files Browse the repository at this point in the history
  • Loading branch information
@rcwbr
rcwbr authored Oct 8, 2024
1 parent 3d488d0 commit e9cca2f
Showing 1 changed file with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions data.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,25 +5,27 @@ data "google_storage_bucket" "state_bucket" {
data "google_iam_policy" "github_actions_plan_sa_bindings" {
// Allow the plan identity to act as the service account
binding {
role = "roles/iam.workloadIdentityUser"

role = "roles/iam.workloadIdentityUser"
members = [local.github_actions_plan_identity]
}
}

data "google_iam_policy" "github_actions_apply_sa_bindings" {
// Allow the apply identity to act as the service account
binding {
role = "roles/iam.workloadIdentityUser"

role = "roles/iam.workloadIdentityUser"
members = [local.github_actions_apply_identity]
}
binding {
role = "roles/iam.serviceAccountTokenCreator"
members = [local.github_actions_apply_identity]
}
}

data "google_iam_policy" "state_bucket" {
// Plan action service account state bucket binding
binding {
role = "roles/storage.objectUser"
role = "roles/storage.objectUser"
members = [
google_service_account.github_actions_plan.member,
google_service_account.github_actions_apply.member
Expand Down

0 comments on commit e9cca2f

Please sign in to comment.