fix: adds permission for creating identity tokens

henryde · henryde · commit 647586f90bfa · 2024-04-08T06:24:11.000Z
When using workload identity federation we must explicitly create an ID
token.
diff --git a/modules/meshcloud-replicator-service-account/module.tf b/modules/meshcloud-replicator-service-account/module.tf
@@ -72,7 +72,6 @@ resource "google_folder_iam_member" "replicator_service" {
   member = "serviceAccount:${google_service_account.replicator_service.email}"
 }
 
-
 /*
   Billing Accounts are associated with an organization and can thus inherit organization level role assignments
   see https://cloud.google.com/billing/docs/how-to/billing-access).
@@ -106,3 +105,12 @@ resource "google_service_account_iam_member" "replicator" {
   role               = "roles/iam.workloadIdentityUser"
   member             = "principal://iam.googleapis.com/${var.workload_identity_federation.pool_id}/subject/${var.workload_identity_federation.subject}"
 }
+
+# Cloud functions must be called with ID tokens but after impersonation we only have an access token and must explicitly create an ID token.
+resource "google_service_account_iam_member" "replicator_id_token" {
+  for_each = var.workload_identity_federation == null ? {} : { 0 = "roles/iam.serviceAccountOpenIdTokenCreator", 1 = "roles/iam.serviceAccountTokenCreator" }
+
+  service_account_id = google_service_account.replicator_service.id
+  role               = each.value
+  member             = "serviceAccount:${google_service_account.replicator_service.email}"
+}
