An Application Operator can add other Application Operators to the project through the GDC console and access to project resources.
Before you begin
Permissions are required to set up or remove role bindings. Ask your Project
IAM Admin or Organization IAM Admin to grant you the Project IAM Admin role.
Set up role bindings
Work through the following steps to set up role bindings:
Console
- Sign in to the GDC console.
For example, the following image signs in to the GDC console for
an organization named
org-1:
- Click Select project in the menu bar. Select one of the existing
projects you want to set up the role binding in, then click Open. The
selected project displays after your org name in the menu bar. The
following example shows the selected
iam-testproject:
- In the navigation menu, click Identity & Access and Access.
- Click Add member.
- In the Identity provider dropdown menu, select an identity provider.
- After Member type, choose whether you want to add individual users with
User, or groups with Group. The following example shows the selected
User:
- In the Username or group alias field, enter the username, email address,
or alias.
- In the Roles drop-down list, select the role that you want to assign
to the user or group, such as Project Viewer. You can bind the
selected user or group with multiple roles at a time by clicking
Add Another Role.
- Click Add.
CLI
Export the user credential that you use:
export YOUR_IAM_ADMIN_KUBECONFIG=YOUR_IAM_ADMIN_KUBECONFIGExport the email account of the user that you want to assign the role, such as
idpprefix-paul@example.com:export USER_EMAIL=USER_EMAILExport the name of the role that the user needs, such as
project-creator. Refer to the Role descriptions page to find the appropriate role.export ROLE_NAME=ROLE_NAMEExport the name of your project namespace:
export PROJECT_NAMESPACE=PROJECT_NAMESPACECreate a
ProjectRoleBindingcustom resource definition (CRD), and apply the following contents:kubectl --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} apply -f - <<EOF apiVersion: resourcemanager.gdc.goog/v1 kind: ProjectRoleBinding metadata: name: ${USER_EMAIL}-${ROLE_NAME}-binding namespace: ${PROJECT_NAMESPACE} spec: roleRef: apiGroup: resourcemanager.gdc.goog kind: ProjectRole name: ${ROLE_NAME} subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: ${USER_EMAIL} EOFFor cases when
ProjectRolesrequire aRoleBindinginstead of aProjectRoleBinding, refer to the Role descriptions to determine which binding type the role needs. Create aRoleBindingin your project namespace:kubectl create --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} \ rolebinding ${USER_EMAIL}-${ROLE_NAME}-binding \ --role=${ROLE_NAME} --user=${USER_EMAIL} --namespace=${PROJECT_NAMESPACE}
Remove role bindings
When access is no longer required, remove a member and their associated roles, permissions, and access.
To remove members, work through the following steps:
Console
- Sign in to the GDC console.
- Click Select project in the menu bar. Select one of the existing projects you want to set up the role binding in, then click Open. The selected project displays after your org name in the menu bar.
- In the navigation menu, click Identity & Access and Access.
- In the authorized members list, select a member. You can remove multiple
members at a time by selecting multiple members in the list.
- Click Remove All Access to remove all the role bindings associated with
a member from your current project.
- When prompted, click Remove Member to confirm.
CLI
Delete the project role bindings to revoke the permission granted to the test AO account:
kubectl --kubeconfig ${AO_USER_CLUSTER_KUBECONFIG} delete projectrolebinding \
${AO_EMAIL%@*}-namespace-admin -n iam-test