How to add IAM policy binding to a service account using Google Cloud Deployment Manager?

Question

I want to write a GCP Deployment Manager resource template that can create a IAM policy binding to a service account as a resource. In particular, I want to configure allowing a member to impersonate a single service account with Deployment Manager.

I know this can be done with GCP console, gcloud SDK or Pulumi.

Maybe I'm missing something, but how can I achieve this with Deployment Manager?

Answer 1

You can use the Deployment Manager to create a IAM policy binding to a Service Account at the Service Account creation.

I test it in my own project using the following jinja file.

1. I created a deploy.jinja

resources:
- name: test-name-deploy
  type: iam.v1.serviceAccount
  properties:
    accountId: testing
    displayName: testing-sa
  accessControl:
    gcpIamPolicy:
      bindings:
      - role: roles/editor
        members:
        - "user:myuser@gmail.com"

2. I created a deployment:

gcloud deployment-manager deployments create mytestdm --template=deploy.jinja

And I received the following result:

NAME              TYPE                   STATE      ERRORS  INTENT
test-name-deploy  iam.v1.serviceAccount  COMPLETED  []

Take in consideration that you need the API iam.googleapis.com enable.

You can check the following documentation for further information.