Skip to content

Shared VPC mesh.googleapis.com serviceaccount role assignment #986

New issue
New issue
Open
Open
Shared VPC mesh.googleapis.com serviceaccount role assignment#986
Labels
enhancementNew feature or request
@bjhshadow

Description

@bjhshadow
bjhshadow
opened on Apr 24, 2025

TL;DR

Enabling container API for GKE triggers network user for multiple service accounts on Shared VPC today. Enabling GKE Cloud Service Mesh with mesh.googleapis.com the mesh service account requires permissions as well on the Shared VPC to function.

Request: modules/shared_vpc_access enable SA agent roles when container and mesh APIs activated

Follow pattern established by container/kafka apis

Terraform Resources

google_project_iam_member

Detailed design

locals {
...
"mesh.googleapis.com" : {
service_account = format("service-%[s@gcp-sa-servicemesh.iam.gserviceaccount.com](mailto:s@gcp-sa-servicemesh.iam.gserviceaccount.com)", local.service_project_number)
role = "roles/anthosservicemesh.serviceAgent"
}
cloud_service_mesh_enabled = contains(var.active_apis, "mesh.googleapis.com")
...
}

resource "google_project_iam_member" "cloud_service_mesh_host_agent" {
count = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && local.cloud_service_mesh_enablede ? 1 : 0
project = var.host_project_id
role = format("%s", local.apis["mesh.googleapis.com"].role)
member = format("serviceAccount:%s", local.apis["mesh.googleapis.com"].service_account)
}

Additional information

https://cloud.google.com/service-mesh/docs/onboarding/provision-control-plane#before_you_begin

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions