IAMCustomRole

Property Value
Google Cloud Service Name Cloud IAM
Google Cloud Service Documentation /iam/docs/
Google Cloud REST Resource Name v1.projects.roles
Google Cloud REST Resource Documentation /iam/reference/rest/v1/projects.roles
Config Connector Resource Short Names gcpiamcustomrole
gcpiamcustomroles
iamcustomrole
Config Connector Service Name iam.googleapis.com
Config Connector Resource Fully Qualified Name iamcustomroles.iam.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/organization-id
cnrm.cloud.google.com/project-id

Spec

Schema

  description: string
  permissions:
  - string
  resourceID: string
  stage: string
  title: string
Fields

description

Optional

string

A human-readable description for the role.

permissions

Required

list (string)

The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

permissions.[]

Required

string

resourceID

Optional

string

Immutable. Optional. The roleId of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

stage

Optional

string

The current launch stage of the role. Defaults to GA.

title

Required

string

A human-readable title for the role.

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  deleted: boolean
  name: string
Fields
conditions

list (object)

Conditions represents the latest available observation of the resource's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

deleted

boolean

The current deleted state of the role.

name

string

The full name of the role.

Sample YAML(s)

Organization Role

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMCustomRole
  metadata:
    annotations:
      # Replace "${ORG_ID?}" with your organization ID
      cnrm.cloud.google.com/organization-id: "${ORG_ID?}"
    name: iamcustomrolesampleorganization
  spec:
    title: Example Organization-Level Custom Role
    description: This role only contains two permissions - publish and update
    permissions:
      - pubsub.topics.publish
      - pubsub.topics.update
    stage: GA

Project Role

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMCustomRole
  metadata:
    annotations:
      # Replace ${PROJECT_ID?} with your project ID
      cnrm.cloud.google.com/project-id: "${PROJECT_ID?}"
    name: iamcustomrolesampleproject
  spec:
    title: Example Project-Level Custom Role
    description: This role only contains two permissions - publish and update
    permissions:
      - pubsub.topics.publish
      - pubsub.topics.update
    stage: GA
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-projectrole
  spec:
    # Replace ${PROJECT_ID?} with your project ID
    member: serviceAccount:iamcustomrole-dep-project@${PROJECT_ID?}.iam.gserviceaccount.com
    # Replace ${PROJECT_ID?} with your project ID
    role: projects/${PROJECT_ID?}/roles/iamcustomrolesampleproject
    resourceRef:
      apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
      kind: PubSubTopic
      name: iamcustomrole-dep-project
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iamcustomrole-dep-project
  ---
  apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
  kind: PubSubTopic
  metadata:
    name: iamcustomrole-dep-project