'How to allow all organisation ServiceAccounts to public to pubsub topic
I know how to bind a member to be able to publish to a Pubsub topic in Google cloud normally. Terraform example:
resource "google_pubsub_topic_iam_member" "member" {
project = google_pubsub_topic.example.project
topic = google_pubsub_topic.example.name
role = "roles/publish"
member = "user:[email protected]"
}
I'd like to understand how I could allow all serviceAccounts that belong to my GCP organisation to automatically have publish access from their creation time.
Ideal pseudo example:
resource "google_pubsub_topic_iam_member" "member" {
project = google_pubsub_topic.example.project
topic = google_pubsub_topic.example.name
role = "roles/publish"
member = "serviceAccounts:*.mydomain.com"
}
One pattern I'd considered is something like:
- Inventory Asset Feed detects a new serviceAccount has been created
- Asset feed publishes the resource data to pubsub
- Pubsub triggers CloudFunction
- CloudFunction updates a group to contain the new serviceAccount (so now you have a list of serviceAccounts not managed via Terraform)
- Pubsub topic iam member binding allows publish role against the group updated in point 4.
Is there a simpler way of allowing all service accounts or perhaps service accounts that match a given pattern?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|