Class BucketIAMPolicy

Three different resources help you manage your IAM policy for Cloud Storage Bucket. Each of these resources serves a different use case:

  • gcp.storage.BucketIAMPolicy: Authoritative. Sets the IAM policy for the bucket and replaces any existing policy already attached.
  • gcp.storage.BucketIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the bucket are preserved.
  • gcp.storage.BucketIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the bucket are preserved.

Note: gcp.storage.BucketIAMPolicy cannot be used in conjunction with gcp.storage.BucketIAMBinding and gcp.storage.BucketIAMMember or they will fight over what your policy should be.

Note: gcp.storage.BucketIAMBinding resources can be used in conjunction with gcp.storage.BucketIAMMember resources only if they do not grant privilege to the same role.

google_storage_bucket_iam_policy

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
    {
        Binding = 
        {

            {
                { "role", "roles/storage.admin" },
                { "members", 
                {
                    "user:jane@example.com",
                } },
            },
        },
    }));
    var policy = new Gcp.Storage.BucketIAMPolicy("policy", new Gcp.Storage.BucketIAMPolicyArgs
    {
        Bucket = google_storage_bucket.Default.Name,
        PolicyData = admin.Apply(admin => admin.PolicyData),
    });
}

}

With IAM Conditions:

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
    {
        Binding = 
        {

            {
                { "role", "roles/storage.admin" },
                { "members", 
                {
                    "user:jane@example.com",
                } },
                { "condition", 
                {
                    { "title", "expires_after_2019_12_31" },
                    { "description", "Expiring at midnight of 2019-12-31" },
                    { "expression", "request.time < timestamp(\"2020-01-01T00:00:00Z\")" },
                } },
            },
        },
    }));
    var policy = new Gcp.Storage.BucketIAMPolicy("policy", new Gcp.Storage.BucketIAMPolicyArgs
    {
        Bucket = google_storage_bucket.Default.Name,
        PolicyData = admin.Apply(admin => admin.PolicyData),
    });
}

}

google_storage_bucket_iam_binding

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var binding = new Gcp.Storage.BucketIAMBinding("binding", new Gcp.Storage.BucketIAMBindingArgs
    {
        Bucket = google_storage_bucket.Default.Name,
        Role = "roles/storage.admin",
        Members = 
        {
            "user:jane@example.com",
        },
    });
}

}

With IAM Conditions:

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var binding = new Gcp.Storage.BucketIAMBinding("binding", new Gcp.Storage.BucketIAMBindingArgs
    {
        Bucket = google_storage_bucket.Default.Name,
        Role = "roles/storage.admin",
        Members = 
        {
            "user:jane@example.com",
        },
        Condition = new Gcp.Storage.Inputs.BucketIAMBindingConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });
}

}

google_storage_bucket_iam_member

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var member = new Gcp.Storage.BucketIAMMember("member", new Gcp.Storage.BucketIAMMemberArgs
    {
        Bucket = google_storage_bucket.Default.Name,
        Role = "roles/storage.admin",
        Member = "user:jane@example.com",
    });
}

}

With IAM Conditions:

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
public MyStack()
{
    var member = new Gcp.Storage.BucketIAMMember("member", new Gcp.Storage.BucketIAMMemberArgs
    {
        Bucket = google_storage_bucket.Default.Name,
        Role = "roles/storage.admin",
        Member = "user:jane@example.com",
        Condition = new Gcp.Storage.Inputs.BucketIAMMemberConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });
}

}
Inheritance
System.Object
Resource
CustomResource
BucketIAMPolicy
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Pulumi.Gcp.Storage
Assembly: Pulumi.Gcp.dll
Syntax
public class BucketIAMPolicy : CustomResource

Constructors

View Source

BucketIAMPolicy(String, BucketIAMPolicyArgs, CustomResourceOptions)

Create a BucketIAMPolicy resource with the given unique name, arguments, and options.

Declaration
public BucketIAMPolicy(string name, BucketIAMPolicyArgs args, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resource
BucketIAMPolicyArgs args

The arguments used to populate this resource's properties
CustomResourceOptions options

A bag of options that control this resource's behavior

Properties

View Source

Bucket

Used to find the parent resource to bind the IAM policy to

Declaration
public Output<string> Bucket { get; }
Property Value
Type Description
Output<System.String>
View Source

Etag

(Computed) The etag of the IAM policy.

Declaration
public Output<string> Etag { get; }
Property Value
Type Description
Output<System.String>
View Source

PolicyData

The policy data generated by a gcp.organizations.getIAMPolicy data source.

Declaration
public Output<string> PolicyData { get; }
Property Value
Type Description
Output<System.String>

Methods

View Source

Get(String, Input<String>, BucketIAMPolicyState, CustomResourceOptions)

Get an existing BucketIAMPolicy resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Declaration
public static BucketIAMPolicy Get(string name, Input<string> id, BucketIAMPolicyState state = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resulting resource.
Input<System.String> id

The unique provider ID of the resource to lookup.
BucketIAMPolicyState state

Any extra arguments used during the lookup.
CustomResourceOptions options

A bag of options that control this resource's behavior
Returns
Type Description
BucketIAMPolicy