CODEWITHSUNDEEP
python-2.7google-cloud-platformgoogle-iamgoogle-deployment-manager
Vit Dolphin
Vit Dolphin

Reputation: 83

GCP deployment manager, error when trying to assign roles to users groups or service accounts

I am trying to use the CFT template for adding users and services account to the project but running into a problem even with the sample provided here in the cloud foundation library here is the yaml I am trying to execute: 

    imports:
        - path: ../IAMaddmembers/iam_member.py
        name: iam_member.py

    resources:
      - name: iam-member-test
        type: iam_member.py
        properties:
          projectId: devopstest10
          type: string
          roles:
            - role: roles/viewer
              members:
                - user: [email protected]

this works fine with --preview mode but when i try to execute it i always get the following:

Waiting for create [operation-1562955409608-58d7fe9fd4e4d-acb76aee-3d39880a]...failed.                                                                               
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1562955409608-58d7fe9fd4e4d-acb76aee-3d39880a]: errors:
- code: CONDITION_NOT_MET
  location: /deployments/iamtest16/resources/get-iam-policy-iam-member-test-0-0->$.properties->$.policy
  message: |-
    InputMapping for field [policy] for method [setIamPolicy] could not be set from input, mapping was: [$.gcpIamMemberBinding($.intent, $.inputs.policy.response, $.resource.properties)], and evaluation context was:
    {
      "deployment" : {
        "id" : 9129742963189313662,
        "name" : "iamtest16"
      },
      "extensions" : {
        "EnableAdditionalJsonPathFunctions" : true,
        "EnableGoogleTypeProviderFunctionsExperiment" : true
      },
      "inputs" : {
        "policy" : {
          "response" : {
            "bindings" : [ {
              "members" : [ "serviceAccount:service-973040049758@gcp-sa-binaryauthorization.iam.gserviceaccount.com" ],
              "role" : "roles/binaryauthorization.serviceAgent"
            }, {
              "members" : [ "serviceAccount:[email protected]" ],
              "role" : "roles/compute.serviceAgent"
            }, {
              "members" : [ "serviceAccount:[email protected]" ],
              "role" : "roles/container.admin"
            }, {
              "members" : [ "serviceAccount:service-973040049758@container-engine-robot.iam.gserviceaccount.com" ],
              "role" : "roles/container.serviceAgent"
            }, {
              "members" : [ "serviceAccount:[email protected]" ],
              "role" : "roles/containeranalysis.ServiceAgent"
            }, {
              "members" : [ "serviceAccount:service-973040049758@gcp-sa-containerscanning.iam.gserviceaccount.com" ],
              "role" : "roles/containerscanning.ServiceAgent"
            }, {
              "members" : [ "serviceAccount:[email protected]", "serviceAccount:[email protected]", "serviceAccount:[email protected]" ],
              "role" : "roles/editor"
            }, {
              "members" : [ "serviceAccount:[email protected]", "serviceAccount:[email protected]" ],
              "role" : "roles/logging.logWriter"
            }, {
              "members" : [ "serviceAccount:[email protected]" ],
              "role" : "roles/owner"
            }, {
              "members" : [ "serviceAccount:[email protected]" ],
              "role" : "roles/redis.serviceAgent"
            }, {
              "members" : [ "serviceAccount:[email protected]" ],
              "role" : "roles/servicenetworking.serviceAgent"
            }, {
              "members" : [ "serviceAccount:[email protected]" ],
              "role" : "roles/storage.admin"
            }, {
              "members" : [ "group:[email protected]", "serviceAccount:[email protected]", "serviceAccount:[email protected]" ],
              "role" : "roles/viewer"
            }, {
              "members" : [ "serviceAccount:service-973040049758@gcp-sa-websecurityscanner.iam.gserviceaccount.com" ],
              "role" : "roles/websecurityscanner.serviceAgent"
            } ],
            "etag" : "BwWNfjdKbuI=",
            "version" : 1
          }
        }
      },
      "intent" : "CREATE",
      "matches" : [ ],
      "project" : "dm-creator-poc",
      "requestId" : "bfc4cd4c-564b-3bb5-877d-cedee78686ea",
      "resource" : {
        "name" : "get-iam-policy-iam-member-test-0-0",
        "previous" : { },
        "properties" : {
          "member" : {
            "user" : "[email protected]"
          },
          "resource" : "devopstest10",
          "role" : "roles/viewer"
        },
        "self" : { }
      }
    }
    Error was:
    Could not deserialize parameter for gcpIamMemberBinding at position 2, details: Cannot deserialize instance of `java.lang.String` out of START_OBJECT token
     at [Source: UNKNOWN; line: -1, column: -1] (through reference chain: com.google.cloud.config.jsonpath.GcpIamMemberBindingFunction$MemberBinding["member"])

I am not sure what is going on at the moment. any help would be appreciated

Upvotes: 0

Views: 477

Answers (1)

Vit Dolphin
Vit Dolphin

Reputation: 83

turns out this line should not have spaces:

- user: [email protected]

shoudl look like 

- user:[email protected]

Upvotes: 1

Related Questions