IAMCustomRole

Property	Value
Google Cloud Service Name	Cloud IAM
Google Cloud Service Documentation	/iam/docs/
Google Cloud REST Resource Name	v1.projects.roles
Google Cloud REST Resource Documentation	/iam/reference/rest/v1/projects.roles
Config Connector Resource Short Names	gcpiamcustomrole gcpiamcustomroles iamcustomrole
Config Connector Service Name	iam.googleapis.com
Config Connector Resource Fully Qualified Name	iamcustomroles.iam.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember	No

Custom Resource Definition Properties

Annotations

Fields
`cnrm.cloud.google.com/organization-id`
`cnrm.cloud.google.com/project-id`

Spec

Schema

  description: string
  permissions:
  - string
  resourceID: string
  stage: string
  title: string

Fields

Fields
`description` Optional	`string` A human-readable description for the role.
`permissions` Required	`list (string)` The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.
`permissions.[]` Required	`string`
`resourceID` Optional	`string` Immutable. Optional. The roleId of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.
`stage` Optional	`string` The current launch stage of the role. Defaults to GA.
`title` Required	`string` A human-readable title for the role.

description

Optional

string

A human-readable description for the role.

permissions

Required

list (string)

The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

permissions.[]

Required

string

resourceID

Optional

string

Immutable. Optional. The roleId of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

stage

Optional

string

The current launch stage of the role. Defaults to GA.

title

Required

string

A human-readable title for the role.

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  deleted: boolean
  name: string

Fields
`conditions`	`list (object)` Conditions represents the latest available observation of the resource's current state.
`conditions.[]`	`object`
`conditions.[].lastTransitionTime`	`string` Last time the condition transitioned from one status to another.
`conditions.[].message`	`string` Human-readable message indicating details about last transition.
`conditions.[].reason`	`string` Unique, one-word, CamelCase reason for the condition's last transition.
`conditions.[].status`	`string` Status is the status of the condition. Can be True, False, Unknown.
`conditions.[].type`	`string` Type is the type of the condition.
`deleted`	`boolean` The current deleted state of the role.
`name`	`string` The full name of the role.

Sample YAML(s)

Organization Role

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMCustomRole
  metadata:
    annotations:
      # Replace "${ORG_ID?}" with your organization ID
      cnrm.cloud.google.com/organization-id: "${ORG_ID?}"
    name: iamcustomrolesampleorganization
  spec:
    title: Example Organization-Level Custom Role
    description: This role only contains two permissions - publish and update
    permissions:
      - pubsub.topics.publish
      - pubsub.topics.update
    stage: GA

Project Role

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMCustomRole
  metadata:
    annotations:
      # Replace ${PROJECT_ID?} with your project ID
      cnrm.cloud.google.com/project-id: "${PROJECT_ID?}"
    name: iamcustomrolesampleproject
  spec:
    title: Example Project-Level Custom Role
    description: This role only contains two permissions - publish and update
    permissions:
      - pubsub.topics.publish
      - pubsub.topics.update
    stage: GA
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-projectrole
  spec:
    # Replace ${PROJECT_ID?} with your project ID
    member: serviceAccount:iamcustomrole-dep-project@${PROJECT_ID?}.iam.gserviceaccount.com
    # Replace ${PROJECT_ID?} with your project ID
    role: projects/${PROJECT_ID?}/roles/iamcustomrolesampleproject
    resourceRef:
      apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
      kind: PubSubTopic
      name: iamcustomrole-dep-project
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iamcustomrole-dep-project
  ---
  apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
  kind: PubSubTopic
  metadata:
    name: iamcustomrole-dep-project