IAMPolicy
IAMPolicy lets you manage the IAM policy for
a given Google Cloud resource.
IAMPolicy represents the full desired state for the associated
Google Cloud resource's IAM policy. It
replaces any existing IAM policy already attached.
If you want finer-grained control over bindings, use IAMPartialPolicy or IAMPolicyMember. If you want finer-grained control over audit configs, use IAMAuditConfig.
| Property | Value |
|---|---|
| Google Cloud Service Name | IAM |
| Google Cloud Service Documentation | /iam/docs/ |
| Google Cloud REST Resource Name | v1.iamPolicies |
| Google Cloud REST Resource Documentation | /iam/reference/rest/v1/iamPolicies |
| Config Connector Resource Short Names | gcpiampolicy gcpiampolicies iampolicy |
| Config Connector Service Name | iam.googleapis.com |
| Config Connector Resource Fully Qualified Name | iampolicies.iam.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Supported Resources
You can use IAMPolicy to configure IAM for
the following resources.
| Kind | Supports Conditions | Supports Audit Configs |
|---|---|---|
AccessContextManagerAccessPolicy |
||
ApigeeEnvironment |
||
ArtifactRegistryRepository |
||
BigQueryTable |
Y | |
BigtableInstance |
Y | |
BigtableTable |
Y | |
BillingAccount |
Y | |
BinaryAuthorizationPolicy |
Y | |
CloudFunctionsFunction |
Y | |
ComputeBackendBucket |
||
ComputeDisk |
||
ComputeImage |
Y | |
ComputeInstance |
Y | |
ComputeSnapshot |
||
ComputeSubnetwork |
Y | |
DNSManagedZone |
||
DataprocCluster |
Y | |
Folder |
Y | Y |
IAMServiceAccount |
Y | |
IAMWorkforcePool |
Y | |
KMSCryptoKey |
Y | |
KMSKeyRing |
Y | |
NetworkSecurityAuthorizationPolicy |
Y | |
NetworkSecurityClientTLSPolicy |
Y | |
NetworkSecurityServerTLSPolicy |
Y | |
Organization |
Y | Y |
Project |
Y | Y |
PubSubSubscription |
||
PubSubTopic |
||
RunJob |
||
RunService |
||
SecretManagerSecret |
||
ServiceDirectoryNamespace |
||
ServiceDirectoryService |
||
SourceRepoRepository |
||
SpannerDatabase |
Y | |
SpannerInstance |
||
StorageBucket |
Y |
| Kind | External Reference Formats |
|---|---|
AccessContextManagerAccessPolicy |
|
ApigeeEnvironment |
|
ArtifactRegistryRepository |
|
BigQueryTable |
|
BigtableInstance |
|
BigtableTable |
|
BillingAccount |
|
BinaryAuthorizationPolicy |
|
CloudFunctionsFunction |
|
ComputeBackendBucket |
|
ComputeDisk |
|
ComputeImage |
|
ComputeInstance |
|
ComputeSnapshot |
|
ComputeSubnetwork |
|
DNSManagedZone |
|
DataprocCluster |
|
Folder |
|
IAMServiceAccount |
|
IAMWorkforcePool |
|
KMSCryptoKey |
|
KMSKeyRing |
|
NetworkSecurityAuthorizationPolicy |
|
NetworkSecurityClientTLSPolicy |
|
NetworkSecurityServerTLSPolicy |
|
Organization |
|
Project |
|
PubSubSubscription |
|
PubSubTopic |
|
RunJob |
|
RunService |
|
SecretManagerSecret |
|
ServiceDirectoryNamespace |
|
ServiceDirectoryService |
|
SourceRepoRepository |
|
SpannerDatabase |
|
SpannerInstance |
|
StorageBucket |
|
Custom Resource Definition Properties
Spec
Schema
auditConfigs:
- auditLogConfigs:
- exemptedMembers:
- string
logType: string
service: string
bindings:
- condition:
description: string
expression: string
title: string
members:
- string
role: string
resourceRef:
apiVersion: string
external: string
kind: string
name: string
namespace: string
| Fields | |
|---|---|
|
Optional |
Optional. The list of IAM audit configs. |
|
Optional |
Specifies the Cloud Audit Logs configuration for the IAM policy. |
|
Required* |
Required. The configuration for logging of each type of permission. |
|
Required* |
|
|
Optional |
Identities that do not cause logging for this type of permission. The format is the same as that for 'members' in IAMPolicy/IAMPolicyMember. |
|
Optional |
|
|
Required* |
Permission type for which logging is to be configured. Must be one of 'DATA_READ', 'DATA_WRITE', or 'ADMIN_READ'. |
|
Required* |
Required. The service for which to enable Data Access audit logs. The special value 'allServices' covers all services. Note that if there are audit configs covering both 'allServices' and a specific service, then the union of the two audit configs is used for that service: the 'logTypes' specified in each 'auditLogConfig' are enabled, and the 'exemptedMembers' in each 'auditLogConfig' are exempted. |
|
Optional |
Optional. The list of IAM bindings. |
|
Optional |
Specifies the members to bind to an IAM role. |
|
Optional |
Optional. The condition under which the binding applies. |
|
Optional |
|
|
Required* |
|
|
Required* |
|
|
Optional |
Optional. The list of IAM users to be bound to the role. |
|
Optional |
|
|
Required* |
Required. The role to bind the users to. |
|
Required* |
Immutable. Required. The GCP resource to set the IAM policy on (e.g. organization, project...) |
|
Optional |
APIVersion of the referenced resource |
|
Optional |
The external name of the referenced resource |
|
Required* |
Kind of the referenced resource |
|
Optional |
|
|
Optional |
|
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
observedGeneration: integer
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observations of the IAM policy's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
Sample YAML(s)
External Project Level Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# **WARNING**: The policy here represents the full declarative intent for the
# referenced project. It will fully overwrite the existing policy on the
# project.
#
# If you want finer-grained control over a project's IAM bindings, use
# IAMPolicyMember. If you want finer-grained control over audit configs, use
# IAMAuditConfig.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
name: iampolicy-sample-external-project
spec:
resourceRef:
kind: Project
external: projects/iampolicy-dep-external-project
bindings:
- members:
# Replace ${GSA_EMAIL?} with the Config Connector service account's
# email address. This ensures that the Config Connector service account
# can continue to manage the referenced project.
- "serviceAccount:${GSA_EMAIL?}"
role: roles/owner
- members:
- serviceAccount:iampolicy-dep-external-project@iampolicy-dep-external-project.iam.gserviceaccount.com
role: roles/storage.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/project-id: iampolicy-dep-external-project
name: iampolicy-dep-external-project
---
# Creates a Project resource to demonstrate how an IAMPolicy can reference a
# Project using `external`.
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
annotations:
cnrm.cloud.google.com/auto-create-network: "false"
name: iampolicy-dep-external-project
spec:
name: Config Connector Sample
organizationRef:
# Replace "${ORG_ID?}" with the numeric ID for your organization
external: "${ORG_ID?}"
KMS Policy With Condition
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
labels:
label-one: value-one
name: iampolicy-sample-condition
spec:
resourceRef:
kind: KMSKeyRing
name: iampolicy-dep-condition
bindings:
- role: roles/cloudkms.admin
condition:
title: expires_after_2019_12_31
description: Expires at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
members:
# replace ${PROJECT_ID?} with your project name
- serviceAccount:iampolicy-dep-condition@${PROJECT_ID?}.iam.gserviceaccount.com
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicy-dep-condition
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
name: iampolicy-dep-condition
spec:
location: us-central1
Project Level Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# **WARNING**: The policy here represents the full declarative intent for the
# referenced project. It will fully overwrite the existing policy on the
# project.
#
# If you want finer-grained control over a project's IAM bindings, use
# IAMPolicyMember. If you want finer-grained control over audit configs, use
# IAMAuditConfig.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
name: iampolicy-sample-project
spec:
resourceRef:
kind: Project
name: iampolicy-dep-project
bindings:
- members:
# Replace ${GSA_EMAIL?} with the Config Connector service account's
# email address. This ensures that the Config Connector service account
# can continue to manage the referenced project.
- "serviceAccount:${GSA_EMAIL?}"
role: roles/owner
- members:
- serviceAccount:iampolicy-dep-project@iampolicy-dep-project.iam.gserviceaccount.com
role: roles/storage.admin
auditConfigs:
- service: allServices
auditLogConfigs:
- logType: DATA_WRITE
- logType: DATA_READ
exemptedMembers:
- serviceAccount:iampolicy-dep-project@iampolicy-dep-project.iam.gserviceaccount.com
- service: compute.googleapis.com
auditLogConfigs:
- logType: ADMIN_READ
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/project-id: iampolicy-dep-project
name: iampolicy-dep-project
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
annotations:
cnrm.cloud.google.com/auto-create-network: "false"
name: iampolicy-dep-project
spec:
name: Config Connector Sample
organizationRef:
# Replace "${ORG_ID?}" with the numeric ID for your organization
external: "${ORG_ID?}"
PubSub Admin Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
labels:
label-one: value-one
name: iampolicy-sample-pubsubadmin
spec:
resourceRef:
kind: PubSubTopic
name: iampolicy-dep-pubsubadmin
bindings:
- role: roles/editor
members:
# replace ${PROJECT_ID?} with your project name
- serviceAccount:iampolicy-dep-pubsubadmin@${PROJECT_ID?}.iam.gserviceaccount.com
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicy-dep-pubsubadmin
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
name: iampolicy-dep-pubsubadmin
Workload Identity Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
name: iampolicy-sample-workloadidentity
spec:
resourceRef:
kind: IAMServiceAccount
name: iampolicy-dep-workloadidentity
bindings:
- role: roles/iam.workloadIdentityUser
members:
# replace ${PROJECT_ID} with your project name
- serviceAccount:${PROJECT_ID?}.svc.id.goog[default/iampolicy-dep-workloadidentity]
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicy-dep-workloadidentity
spec:
displayName: Example Service Account
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: iampolicy-dep-workloadidentity
annotations:
# replace ${PROJECT_ID?} with your project name
iam.gke.io/gcp-service-account: iampolicy-dep-workloadidentity@${PROJECT_ID?}.iam.gserviceaccount.com