CODEWITHSUNDEEP
pythongoogle-cloud-platformyamlgoogle-deployment-manager
Jorden
Jorden

Reputation: 19

How to create a service account with multiple roles? Google Cloud Deployment Manager

Below i am creating a service account and binding 1 role to it. Does anyone know how i bind more than 1 role at a time?

def GenerateConfig(context):
    project_id = context.env['project']
    service_account = context.properties['service-account']

    resources = [
        {
            'name': service_account,
            'type': 'iam.v1.serviceAccount',
            'properties': {
                'accountId': service_account,
                'displayName': service_account,
                'projectId': project_id
            }
        },
        {
            'name': 'bind-iam-policy',
            'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding',
            'properties': {
                'resource': project_id,
                'role': 'roles/bigquery.admin',
                'member': 'serviceAccount:$(ref.' + service_account + '.email)'
            },
            'metadata': {
                'dependsOn': [service_account]
            }
        }
    ]

    return {'resources': resources}

Upvotes: 0

Views: 2032

Answers (1)

Dean Christian Armada
Dean Christian Armada

Reputation: 7364

You will need to use setIAMPolicy. Below is an example, although it is created via Jinja templates. Examples below does not only create serviceaccounts and assign policy but it also generates service account keys

templates-bundle.yaml

imports:
- path: serviceaccounts-template.jinja

resources:
- name: serviceaccounts
  type: serviceaccounts-template.jinja
  properties:
    getIAMPolicy: get-iam-policy
    setIAMPolicy: set-iam-policy
    projectName: lottery-conference-staging
    serviceAccountKeys:  # Service Accounts where keys will be downloaded for access purposes
      - name: storage-buckets-backend-sa
      - name: cloud-build-deploy-sa
    iamMethod: add # replace to "remove" if in case you want to delete the added members using this deployment manager template
    identities: # Check roles at https://cloud.google.com/iam/docs/understanding-roles
      - role: roles/viewer
        member_type: group  # can be "user" or "serviceAccount"
        members: [[email protected]]
      - role: roles/storage.admin
        member_type: serviceAccount
        members: [$(ref.storage-buckets-backend-sa.email), $(ref.cloud-build-deploy-sa.email)]
      - role: roles/storage.objectAdmin
        member_type: serviceAccount
        members: [$(ref.storage-buckets-backend-sa.email), $(ref.cloud-build-deploy-sa.email)]

serviceaccounts-template.jinja

{# Do not forget to add the "Project IAM Admin" role on *@cloudservices.gserviceaccount.com if experienced 403 #}
{% set project = properties["projectName"] %}

resources:
{% for serviceAccount in properties["serviceAccountKeys"] %}
  {% set name = serviceAccount["name"] %}
  - name: {{ name }}
    type: iam.v1.serviceAccount
    properties:
      displayName: {{ name }}
      projectId: {{ project }}
      accountId: {{ name }}
  - name: {{ name }}-keys
    type: iam.v1.serviceAccounts.key
    properties:
      parent: projects/{{ project }}/serviceAccounts/$(ref.{{ name }}.email)
      name: projects/{{ project }}/serviceAccounts/{{ name }}/keys/json
      privateKeyType: TYPE_GOOGLE_CREDENTIALS_FILE
      keyAlgorithm: KEY_ALG_RSA_2048
{% endfor %}
  - name: {{ properties["getIAMPolicy"] }}
    action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
    properties:
      resource: {{ project }}
  - name: {{ properties["setIAMPolicy"] }}
    action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
    properties:
      resource: {{ project }}
      policy: $(ref.get-iam-policy)
      gcpIamPolicyPatch:
        {{ properties["iamMethod"] }}:
        {% for identity in properties["identities"] %}
        - role: {{ identity["role"] }}
          members:
          {% for member in identity["members"]  %}
          - {{ identity["member_type"] }}:{{ member }}
          {% endfor %}
        {% endfor %}

Upvotes: 1

Related Questions