temporalio · shakeelrao · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025
@@ -56,6 +56,7 @@ output "service_account" {
 - `created_at` (String) The creation time of the Service Account.
 - `description` (String) The description of the Service Account.
 - `name` (String) The name associated with the service account.
+- `namespace_scoped_access` (Attributes) The namespace-scoped access configuration for this service account. (see [below for nested schema](#nestedatt--namespace_scoped_access))
 - `state` (String) The current state of the Service Account.
 - `updated_at` (String) The last update time of the Service Account.
 
@@ -65,4 +66,13 @@ output "service_account" {
 Read-Only:
 
 - `namespace_id` (String) The namespace to assign permissions to.
-- `permission` (String) The permission to assign. Must be one of admin, write, or read (case-insensitive)
+- `permission` (String) The permission to assign. Must be one of admin, write, or read (case-insensitive).
+
+
+<a id="nestedatt--namespace_scoped_access"></a>
+### Nested Schema for `namespace_scoped_access`
+
+Read-Only:
+
+- `namespace_id` (String) The namespace this service account is scoped to.
+- `permission` (String) The permission to assign. Must be one of admin, write, or read (case-insensitive).
@@ -34,6 +34,7 @@ Read-Only:
 - `description` (String) The description of the Service Account.
 - `id` (String) The unique identifier of the Service Account.
 - `name` (String) The name associated with the service account.
+- `namespace_scoped_access` (Attributes) The namespace-scoped access configuration for this service account. (see [below for nested schema](#nestedatt--service_accounts--namespace_scoped_access))
 - `state` (String) The current state of the Service Account.
 - `updated_at` (String) The last update time of the Service Account.
 
@@ -43,4 +44,13 @@ Read-Only:
 Read-Only:
 
 - `namespace_id` (String) The namespace to assign permissions to.
-- `permission` (String) The permission to assign. Must be one of admin, write, or read (case-insensitive)
+- `permission` (String) The permission to assign. Must be one of admin, write, or read (case-insensitive).
+
+
+<a id="nestedatt--service_accounts--namespace_scoped_access"></a>
+### Nested Schema for `service_accounts.namespace_scoped_access`
+
+Read-Only:
+
+- `namespace_id` (String) The namespace this service account is scoped to.
+- `permission` (String) The permission to assign. Must be one of admin, write, or read (case-insensitive).
@@ -54,13 +54,14 @@ resource "temporalcloud_service_account" "namespace_admin" {
 
 ### Required
 
-- `account_access` (String) The role on the account. Must be one of admin, developer, or read (case-insensitive).
 - `name` (String) The name associated with the service account.
 
 ### Optional
 
+- `account_access` (String) The role on the account. Must be one of admin, developer, or read (case-insensitive). Cannot be set if namespace_scoped_access is provided.
 - `description` (String) The description for the service account.
-- `namespace_accesses` (Attributes Set) The set of namespace accesses. Empty sets are not allowed, omit the attribute instead. Service Accounts with an account_access role of admin cannot be assigned explicit permissions to namespaces. Admins implicitly receive access to all Namespaces. (see [below for nested schema](#nestedatt--namespace_accesses))
+- `namespace_accesses` (Attributes Set) The set of namespace accesses. Empty sets are not allowed, omit the attribute instead. Service Accounts with an account_access role of admin cannot be assigned explicit permissions to namespaces. Admins implicitly receive access to all Namespaces. Cannot be set if namespace_scoped_access is provided. (see [below for nested schema](#nestedatt--namespace_accesses))
+- `namespace_scoped_access` (Attributes) Configures this service account as a namespace-scoped service account with access to only a single namespace. The namespace assignment is immutable after creation. Cannot be set if account_access or namespace_accesses are provided. (see [below for nested schema](#nestedatt--namespace_scoped_access))
 - `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
 
 ### Read-Only
@@ -77,6 +78,15 @@ Required:
 - `permission` (String) The permission to assign. Must be one of admin, write, or read (case-insensitive)
 
 
+<a id="nestedatt--namespace_scoped_access"></a>
+### Nested Schema for `namespace_scoped_access`
+
+Required:
+
+- `namespace_id` (String) The namespace to scope this service account to. This field is immutable after creation.
+- `permission` (String) The permission to assign. Must be one of admin, write, or read (case-insensitive). This field is mutable.
+
+
 <a id="nestedblock--timeouts"></a>
 ### Nested Schema for `timeouts`
 

@@ -1,9 +1,12 @@
 package provider
 
 import (
+	"bufio"
+	"bytes"
 	"fmt"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"testing"
+	"text/template"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 )
@@ -72,3 +75,124 @@ output "service_account" {
 		},
 	})
 }
+
+func TestAccDataSource_NamespaceScopedServiceAccount(t *testing.T) {
+	type configArgs struct {
+		Name          string
+		NamespaceName string
+		Permission    string
+	}
+
+	name := createRandomName()
+	namespaceName := randomString(10)
+
+	tmpl := template.Must(template.New("config").Parse(`
+provider "temporalcloud" {
+
+}
+
+resource "temporalcloud_namespace" "test" {
+  name               = "{{ .NamespaceName }}"
+  regions            = ["aws-us-east-1"]
+  api_key_auth       = true
+  retention_days     = 7
+}
+
+resource "temporalcloud_service_account" "terraform" {
+  name = "{{ .Name }}"
+  namespace_scoped_access = {
+    namespace_id = temporalcloud_namespace.test.id
+    permission   = "{{ .Permission }}"
+  }
+
+  depends_on = [temporalcloud_namespace.test]
+}
+
+data "temporalcloud_service_account" "terraform" {
+  id = temporalcloud_service_account.terraform.id
+}
+
+output "service_account" {
+  value = data.temporalcloud_service_account.terraform
+}
+`))
+
+	config := func(args configArgs) string {
+		var buf bytes.Buffer
+		writer := bufio.NewWriter(&buf)
+		if err := tmpl.Execute(writer, args); err != nil {
+			t.Errorf("failed to execute template:  %v", err)
+			t.FailNow()
+		}
+
+		writer.Flush()
+		return buf.String()
+	}
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: config(configArgs{
+					Name:          name,
+					NamespaceName: namespaceName,
+					Permission:    "write",
+				}),
+				Check: func(s *terraform.State) error {
+					output, ok := s.RootModule().Outputs["service_account"]
+					if !ok {
+						return fmt.Errorf("missing expected output")
+					}
+
+					outputValue, ok := output.Value.(map[string]interface{})
+					if !ok {
+						return fmt.Errorf("expected value to be map")
+					}
+
+					outputName, ok := outputValue["name"].(string)
+					if !ok {
+						return fmt.Errorf("expected name to be a string")
+					}
+					if outputName != name {
+						return fmt.Errorf("expected service account name to be %s, got %s", name, outputName)
+					}
+
+					outputState, ok := outputValue["state"].(string)
+					if !ok {
+						return fmt.Errorf("expected state to be a string")
+					}
+					if outputState != "active" {
+						return fmt.Errorf("expected service account state to be active, got %s", outputState)
+					}
+
+					// Verify namespace_scoped_access is present
+					namespaceScopedAccess, ok := outputValue["namespace_scoped_access"].(map[string]interface{})
+					if !ok {
+						return fmt.Errorf("expected namespace_scoped_access to be present and be a map")
+					}
+
+					nsID, ok := namespaceScopedAccess["namespace_id"].(string)
+					if !ok || nsID == "" {
+						return fmt.Errorf("expected namespace_id to be a non-empty string")
+					}
+
+					permission, ok := namespaceScopedAccess["permission"].(string)
+					if !ok || permission != "write" {
+						return fmt.Errorf("expected permission to be 'write', got %v", permission)
+					}
+
+					// Verify account_access is not set for namespace-scoped SA
+					accountAccess, _ := outputValue["account_access"].(string)
+					if accountAccess != "" {
+						return fmt.Errorf("expected account_access to be empty for namespace-scoped service account, got %s", accountAccess)
+					}
+
+					return nil
+				},
+			},
+		},
+	})
+}