Class IAMPolicy

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • gcp.serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • gcp.serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • gcp.serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: gcp.serviceAccount.IAMPolicy cannot be used in conjunction with gcp.serviceAccount.IAMBinding and gcp.serviceAccount.IAMMember or they will fight over what your policy should be.

Note: gcp.serviceAccount.IAMBinding resources can be used in conjunction with gcp.serviceAccount.IAMMember resources only if they do not grant privilege to the same role.

google_service_account_iam_policy

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
    {
        Binding = 
        {

            {
                { "role", "roles/iam.serviceAccountUser" },
                { "members", 
                {
                    "user:jane@example.com",
                } },
            },
        },
    }));
    var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
    {
        AccountId = "my-service-account",
        DisplayName = "A service account that only Jane can interact with",
    });
    var admin_account_iam = new Gcp.ServiceAccount.IAMPolicy("admin-account-iam", new Gcp.ServiceAccount.IAMPolicyArgs
    {
        ServiceAccountId = sa.Name,
        PolicyData = admin.Apply(admin => admin.PolicyData),
    });
}

}

google_service_account_iam_binding

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
    {
        AccountId = "my-service-account",
        DisplayName = "A service account that only Jane can use",
    });
    var admin_account_iam = new Gcp.ServiceAccount.IAMBinding("admin-account-iam", new Gcp.ServiceAccount.IAMBindingArgs
    {
        ServiceAccountId = sa.Name,
        Role = "roles/iam.serviceAccountUser",
        Members = 
        {
            "user:jane@example.com",
        },
    });
}

}

With IAM Conditions:

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
    {
        AccountId = "my-service-account",
        DisplayName = "A service account that only Jane can use",
    });
    var admin_account_iam = new Gcp.ServiceAccount.IAMBinding("admin-account-iam", new Gcp.ServiceAccount.IAMBindingArgs
    {
        Condition = new Gcp.ServiceAccount.Inputs.IAMBindingConditionArgs
        {
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
            Title = "expires_after_2019_12_31",
        },
        Members = 
        {
            "user:jane@example.com",
        },
        Role = "roles/iam.serviceAccountUser",
        ServiceAccountId = sa.Name,
    });
}

}

google_service_account_iam_member

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var @default = Output.Create(Gcp.Compute.GetDefaultServiceAccount.InvokeAsync());
    var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
    {
        AccountId = "my-service-account",
        DisplayName = "A service account that Jane can use",
    });
    var admin_account_iam = new Gcp.ServiceAccount.IAMMember("admin-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
    {
        ServiceAccountId = sa.Name,
        Role = "roles/iam.serviceAccountUser",
        Member = "user:jane@example.com",
    });
    // Allow SA service account use the default GCE account
    var gce_default_account_iam = new Gcp.ServiceAccount.IAMMember("gce-default-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
    {
        ServiceAccountId = @default.Apply(@default => @default.Name),
        Role = "roles/iam.serviceAccountUser",
        Member = sa.Email.Apply(email => $"serviceAccount:{email}"),
    });
}

}

With IAM Conditions:

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
    {
        AccountId = "my-service-account",
        DisplayName = "A service account that Jane can use",
    });
    var admin_account_iam = new Gcp.ServiceAccount.IAMMember("admin-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
    {
        Condition = new Gcp.ServiceAccount.Inputs.IAMMemberConditionArgs
        {
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
            Title = "expires_after_2019_12_31",
        },
        Member = "user:jane@example.com",
        Role = "roles/iam.serviceAccountUser",
        ServiceAccountId = sa.Name,
    });
}

}
Inheritance
System.Object
Resource
CustomResource
IAMPolicy
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Pulumi.Gcp.ServiceAccount
Assembly: Pulumi.Gcp.dll
Syntax
public class IAMPolicy : CustomResource

Constructors

View Source

IAMPolicy(String, IAMPolicyArgs, CustomResourceOptions)

Create a IAMPolicy resource with the given unique name, arguments, and options.

Declaration
public IAMPolicy(string name, IAMPolicyArgs args, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resource
IAMPolicyArgs args

The arguments used to populate this resource's properties
CustomResourceOptions options

A bag of options that control this resource's behavior

Properties

View Source

Etag

(Computed) The etag of the service account IAM policy.

Declaration
public Output<string> Etag { get; }
Property Value
Type Description
Output<System.String>
View Source

PolicyData

The policy data generated by a gcp.organizations.getIAMPolicy data source.

Declaration
public Output<string> PolicyData { get; }
Property Value
Type Description
Output<System.String>
View Source

ServiceAccountId

The fully-qualified name of the service account to apply policy to.

Declaration
public Output<string> ServiceAccountId { get; }
Property Value
Type Description
Output<System.String>

Methods

View Source

Get(String, Input<String>, IAMPolicyState, CustomResourceOptions)

Get an existing IAMPolicy resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Declaration
public static IAMPolicy Get(string name, Input<string> id, IAMPolicyState state = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resulting resource.
Input<System.String> id

The unique provider ID of the resource to lookup.
IAMPolicyState state

Any extra arguments used during the lookup.
CustomResourceOptions options

A bag of options that control this resource's behavior
Returns
Type Description
IAMPolicy