Class CryptoKeyIAMMember

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

  • gcp.kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.
  • gcp.kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.
  • gcp.kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.

Note: gcp.kms.CryptoKeyIAMPolicy cannot be used in conjunction with gcp.kms.CryptoKeyIAMBinding and gcp.kms.CryptoKeyIAMMember or they will fight over what your policy should be.

Note: gcp.kms.CryptoKeyIAMBinding resources can be used in conjunction with gcp.kms.CryptoKeyIAMMember resources only if they do not grant privilege to the same role.

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var keyring = new Gcp.Kms.KeyRing("keyring", new Gcp.Kms.KeyRingArgs
    {
        Location = "global",
    });
    var key = new Gcp.Kms.CryptoKey("key", new Gcp.Kms.CryptoKeyArgs
    {
        KeyRing = keyring.Id,
        RotationPeriod = "100000s",
    });
    var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
    {
        Binding = 
        {

            {
                { "role", "roles/cloudkms.cryptoKeyEncrypter" },
                { "members", 
                {
                    "user:jane@example.com",
                } },
            },
        },
    }));
    var cryptoKey = new Gcp.Kms.CryptoKeyIAMPolicy("cryptoKey", new Gcp.Kms.CryptoKeyIAMPolicyArgs
    {
        CryptoKeyId = key.Id,
        PolicyData = admin.Apply(admin => admin.PolicyData),
    });
}

}

With IAM Conditions:

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
    {
        Bindings = 
        {
            new Gcp.Organizations.Inputs.GetIAMPolicyBindingArgs
            {
                Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionArgs
                {
                    Description = "Expiring at midnight of 2019-12-31",
                    Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
                    Title = "expires_after_2019_12_31",
                },
                Members = 
                {
                    "user:jane@example.com",
                },
                Role = "roles/cloudkms.cryptoKeyEncrypter",
            },
        },
    }));
}

}

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var cryptoKey = new Gcp.Kms.CryptoKeyIAMBinding("cryptoKey", new Gcp.Kms.CryptoKeyIAMBindingArgs
    {
        CryptoKeyId = google_kms_crypto_key.Key.Id,
        Role = "roles/cloudkms.cryptoKeyEncrypter",
        Members = 
        {
            "user:jane@example.com",
        },
    });
}

}

With IAM Conditions:

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var cryptoKey = new Gcp.Kms.CryptoKeyIAMBinding("cryptoKey", new Gcp.Kms.CryptoKeyIAMBindingArgs
    {
        CryptoKeyId = google_kms_crypto_key.Key.Id,
        Role = "roles/cloudkms.cryptoKeyEncrypter",
        Members = 
        {
            "user:jane@example.com",
        },
        Condition = new Gcp.Kms.Inputs.CryptoKeyIAMBindingConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });
}

}

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var cryptoKey = new Gcp.Kms.CryptoKeyIAMMember("cryptoKey", new Gcp.Kms.CryptoKeyIAMMemberArgs
    {
        CryptoKeyId = google_kms_crypto_key.Key.Id,
        Role = "roles/cloudkms.cryptoKeyEncrypter",
        Member = "user:jane@example.com",
    });
}

}

With IAM Conditions:

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var cryptoKey = new Gcp.Kms.CryptoKeyIAMMember("cryptoKey", new Gcp.Kms.CryptoKeyIAMMemberArgs
    {
        CryptoKeyId = google_kms_crypto_key.Key.Id,
        Role = "roles/cloudkms.cryptoKeyEncrypter",
        Member = "user:jane@example.com",
        Condition = new Gcp.Kms.Inputs.CryptoKeyIAMMemberConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });
}

}
Inheritance
System.Object
Resource
CustomResource
CryptoKeyIAMMember
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Pulumi.Gcp.Kms
Assembly: Pulumi.Gcp.dll
Syntax
public class CryptoKeyIAMMember : CustomResource

Constructors

View Source

CryptoKeyIAMMember(String, CryptoKeyIAMMemberArgs, CustomResourceOptions)

Create a CryptoKeyIAMMember resource with the given unique name, arguments, and options.

Declaration
public CryptoKeyIAMMember(string name, CryptoKeyIAMMemberArgs args, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resource
CryptoKeyIAMMemberArgs args

The arguments used to populate this resource's properties
CustomResourceOptions options

A bag of options that control this resource's behavior

Properties

View Source

Condition

An IAM Condition for a given binding. Structure is documented below.

Declaration
public Output<CryptoKeyIAMMemberCondition> Condition { get; }
Property Value
Type Description
Output<CryptoKeyIAMMemberCondition>
View Source

CryptoKeyId

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider's project setting will be used as a fallback.

Declaration
public Output<string> CryptoKeyId { get; }
Property Value
Type Description
Output<System.String>
View Source

Etag

(Computed) The etag of the project's IAM policy.

Declaration
public Output<string> Etag { get; }
Property Value
Type Description
Output<System.String>
View Source

Member

Declaration
public Output<string> Member { get; }
Property Value
Type Description
Output<System.String>
View Source

Role

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

Declaration
public Output<string> Role { get; }
Property Value
Type Description
Output<System.String>

Methods

View Source

Get(String, Input<String>, CryptoKeyIAMMemberState, CustomResourceOptions)

Get an existing CryptoKeyIAMMember resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Declaration
public static CryptoKeyIAMMember Get(string name, Input<string> id, CryptoKeyIAMMemberState state = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resulting resource.
Input<System.String> id

The unique provider ID of the resource to lookup.
CryptoKeyIAMMemberState state

Any extra arguments used during the lookup.
CustomResourceOptions options

A bag of options that control this resource's behavior
Returns
Type Description
CryptoKeyIAMMember