Creates a GCP service account

This module can be used to create and manage a GCP service account via opta, including permissioning and mapping to kubernetes service accounts.

Map to K8s Service Account

You can designate your GCP service account to allow role assumption from a service account in one of your gke clusters. This is done via the allowed_k8s_services field which takes as input a list of entries holding a namespace and service_account_name field, corresponding to a given namespace+service_account to trust.

Warning: This trust will be for all clusters in the project, not just the current one of this environment.

For more information, you can read the official GCP docs here


This module can also be linked to other resources, like in the k8s-service. It will then have the desired permissions for said resources. Currently supported resources:

  • GCS Bucket


  - name: deployer
    type: gcp-service-account
      - namespace: "blah"
        service_account_name: "baloney"


Name Description Default Required
allowed_k8s_services K8s service accounts that this role should have access to. [] False
links A list of extra IAM role policies not captured by Opta which you wish to give to your service. [] False
additional_iam_roles A list of extra project-level iam roles to grant to the service account [] False
explicit_name An explicit name to give to your service account (warning– must be unique per account) None False


Name Description
service_account_id The id of the GCP service account created
service_account_email The email of the GCP service account created

Last modified August 5, 2022 : Cleanup install script (#197) (2175394)