问题
I am using to update a project with IAM policies. in GCP deployment manager's templates, they are using python Jinja file, but I would like to add IAM policy (assign a user/service account some role). Can someone modify the Jinja/ config file and pinpoint how I can modify?
https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/examples/v2/project_creation/config.yaml
https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/examples/v2/project_creation/project.py
回答1:
Here's a jinja snippet that creates a new service account and adds it as an owner to an existing project. This requires assigning deployment manager the proper access to manage IAM for the project.
{% set deployment = env['deployment'] %}
{% set project = env['project'] %}
resources:
- name: {{ deployment }}-svc-account
type: iam.v1.serviceAccount
properties:
accountId: {{ deployment }}-svc-account
displayName: {{ deployment }}-svc-account
- name: get-iam-policy
action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
properties:
resource: {{ project }}
metadata:
runtimePolicy:
- 'UPDATE_ALWAYS'
- name: patch-iam-policy
action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
properties:
resource: {{ project }}
policy: $(ref.get-iam-policy)
gcpIamPolicyPatch:
add:
- role: roles/owner
members:
- serviceAccount:$(ref.{{ deployment }}-svc-account.email)
回答2:
Please follow Adam Ocsvari's example to assign IAM policy. The old method was to get all the IAM binding policies, add a few role -> members bindings, then set all the bindings. He's providing a new method using 'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding'
. I used one of the links he provided to find the python template that assigned IAM policy bindings. The code there has a nested loop. I only needed to create a single service account and assign 1 binding:
service-accounts.py
def GenerateConfig(context):
project_id = context.env['project']
service_account = context.properties['service-account']
resources = [
{
'name': service_account,
'type': 'iam.v1.serviceAccount',
'properties': {
'accountId': service_account,
'displayName': service_account,
'projectId': project_id
}
},
{
'name': 'bind-iam-policy',
'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding',
'properties': {
'resource': project_id,
'role': 'roles/dataflow.admin',
'member': 'serviceAccount:$(ref.' + service_account + '.email)'
},
'metadata': {
'dependsOn': [service_account]
}
}
]
return {'resources': resources}
service-accounts.yaml
imports:
- path: service-accounts.py
resources:
- name: service-accounts
type: service-accounts.py
properties:
project: [*YOUR_PROJECT_ID*]
service-account: k8s-service-account
this example creates a k8s-service-account and assigns Dataflow admin role to it. Make sure you Grant Deployment Manager permission to set IAM policies before you start.
回答3:
Please avoid using these solutions:
gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
It can cause concurrent IAM policy update errors. The Deployment Manager team is providing a new type binding this 2 actions together:
'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding',
Check out the following implementations as part of the Cloud Foundation Toolkit provided by Google Cloud:
Cloud Foundation Toolkit NEW repo - IAM binding
Cloud Foundation Toolkit OLD repo - IAM binding
Cloud Foundation Toolkit NEW repo - Project Creation Factory
回答4:
You need to make changes to the below part of the config.yaml file and add the users or service accounts according to your need under the members line.
iam-policy:
bindings:
- role: roles/owner
members:
- serviceAccount:98765432111@cloudservices.gserviceaccount.com
- serviceAccount:98765432100@cloudservices.gserviceaccount.com
- role: roles/viewer
members:
- user:iamtester@deployment-manager.net
For example: You can add -user:foo@bar.com
under members tab in proper section to make it owner or viewer of the project.
回答5:
My code to add permissions to a service account.
{% set deployment = env['deployment'] %}
{% set project = env['project'] %}
resources:
- name: get-iam-policy
action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
properties:
resource: {{ project }}
metadata:
runtimePolicy:
- 'UPDATE_ALWAYS'
- name: patch-iam-policy
action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
properties:
resource: {{ project }}
policy: $(ref.get-iam-policy)
gcpIamPolicyPatch:
add:
- role: roles/bigquery.dataEditor
members:
- serviceAccount: <service account>
来源:https://stackoverflow.com/questions/48710548/google-deployment-manager-assigning-iam-policies-at-project