Skip to content

googleProjectDefaultServiceAccounts

Allows management of Google Cloud Platform project default service accounts.

When certain service APIs are enabled, Google Cloud Platform automatically creates service accounts to help get started, but this is not recommended for production environments as per Google's documentation. See the Organization documentation for more details.

\~> WARNING Some Google Cloud products do not work if the default service accounts are deleted so it is better to deprivilege as Google CAN NOT recover service accounts that have been deleted for more than 30 days. Also Google recommends using the constraints/iamAutomaticIamGrantsForDefaultServiceAccounts constraint to disable automatic IAM Grants to default service accounts.

\~> This resource works on a best-effort basis, as no API formally describes the default service accounts and it is for users who are unable to use constraints. If the default service accounts change their name or additional service accounts are added, this resource will need to be updated.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.projectDefaultServiceAccounts.ProjectDefaultServiceAccounts(
  this,
  "my_project",
  {
    action: "DELETE",
    project: "my-project-id",
  }
);

To enable the default service accounts on the resource destroy:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.projectDefaultServiceAccounts.ProjectDefaultServiceAccounts(
  this,
  "my_project",
  {
    action: "DISABLE",
    project: "my-project-id",
    restore_policy: "REVERT",
  }
);

Argument Reference

The following arguments are supported:

  • project - (Required) The project ID where service accounts are created.

  • action - (Required) The action to be performed in the default service accounts. Valid values are: deprivilege, delete, disable. Note that deprivilege action will ignore the REVERT configuration in the restore_policy

  • restorePolicy - (Optional) The action to be performed in the default service accounts on the resource destroy. Valid values are NONE, REVERT and REVERT_AND_IGNORE_FAILURE. It is applied for any action but in the DEPRIVILEGE. If set to REVERT it attempts to restore all default SAs but the DEPRIVILEGE action. If set to REVERT_AND_IGNORE_FAILURE it is the same behavior as REVERT but ignores errors returned by the API.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/{{project}}
  • serviceAccounts - The Service Accounts changed by this resource. It is used for revert the action on the destroy.

Timeouts

This resource provides the following Timeouts configuration options: configuration options:

  • create - Default is 10 minutes.
  • update - Default is 10 minutes.
  • delete - Default is 10 minutes.

Import

This resource does not support import