CODEWITHSUNDEEP
deploymentgoogle-cloud-platformgoogle-cloud-storagegoogle-deployment-manager
Hector Cuevas
Hector Cuevas

Reputation: 31

Google Cloud Deployment Manager: How to set up IAM when creating bucket

I have created a bucket with Google Cloud Deployment Manager ( see below ) but the permissions part is ignored and I could not find any example of setting IAM on while using Google Cloud Deployment Manager. Can you help?

    resources:
    - name: {{ env["name"] }}
      type: storage.v1.bucket
      properties:
        kind: storage#bucket
        location: eu
        storageClass: MULTI_REGIONAL
        iam-policy:
          bindings:
          - role: roles/storage.objectViewer
            members:
            - allUsers

Upvotes: 3

Views: 1269

Answers (2)

perfectfromnowon
perfectfromnowon

Reputation: 261

You can now decorate deployment manager objects with IAM bindings. Something like this should work:

- name: <BUCKETNAME>
  type: storage.v1.bucket
  properties:
    storageClass: REGIONAL
    location: us-west1
  accessControl:
    gcpIamPolicy:
      bindings:
      - role: roles/storage.objectViewer
        members:
        - "serviceAccount:<YOURSERVICEACCOUNT>"
      - role: roles/storage.legacyBucketOwner
        members:
        - "projectEditor:<YOURPROJECT>"
        - "projectOwner:<YOURPROJECT>"
      - role: roles/storage.legacyBucketReader
        members:
        - "projectViewer:<YOURPROJECT>"

See https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources for more information. Please note that IAM bindings are related but different from a bucket ACL and/or object ACLs. See https://cloud.google.com/storage/docs/access-control/ for more information on access control for GCS.

Also note that you will want to include the FULL set of IAM bindings in the aforementioned example.

Upvotes: 4

drbayer
drbayer

Reputation: 191

There are 2 levels of access you can set - bucket level & object level. Try something like this:

 resources:
    - name: {{ env["name"] }}
      type: storage.v1.bucket
      properties:
        kind: storage#bucket
        location: eu
        storageClass: MULTI_REGIONAL
        acl:
        - role: READER
          entity: allUsers  # maybe allAuthenticatedUsers?
        defaultObjectAcl:
        - entity: allUsers  # maybe allAuthenticatedUsers?
          role: READER

Upvotes: 0

Related Questions