google deployment manager assigning IAM policies at project

Question

I am using to update a project with IAM policies. in GCP deployment manager\'s templates, they are using python Jinja file, but I would like to add IAM policy (assign a user

Answer 1

Here's a jinja snippet that creates a new service account and adds it as an owner to an existing project. This requires assigning deployment manager the proper access to manage IAM for the project.

{% set deployment = env['deployment'] %}
{% set project = env['project'] %}

resources:
- name: {{ deployment }}-svc-account
  type: iam.v1.serviceAccount
  properties:
    accountId: {{ deployment }}-svc-account
    displayName: {{ deployment }}-svc-account

- name: get-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
  properties:
    resource: {{ project }}
  metadata:
    runtimePolicy:
    - 'UPDATE_ALWAYS'

- name: patch-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
  properties:
    resource: {{ project }}
    policy: $(ref.get-iam-policy)
    gcpIamPolicyPatch:
      add:
      - role: roles/owner
        members:
        - serviceAccount:$(ref.{{ deployment }}-svc-account.email)