IAMPolicy


IAMPolicy lets you manage the IAM policy for a given Google Cloud resource.

IAMPolicy represents the full desired state for the associated Google Cloud resource's IAM policy. It replaces any existing IAM policy already attached.

If you want finer-grained control over bindings, use IAMPartialPolicy or IAMPolicyMember. If you want finer-grained control over audit configs, use IAMAuditConfig.

Property Value
Google Cloud Service Name IAM
Google Cloud Service Documentation /iam/docs/
Google Cloud REST Resource Name v1.iamPolicies
Google Cloud REST Resource Documentation /iam/reference/rest/v1/iamPolicies
Config Connector Resource Short Names gcpiampolicy
gcpiampolicies
iampolicy
Config Connector Service Name iam.googleapis.com
Config Connector Resource Fully Qualified Name iampolicies.iam.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No
Config Connector Default Average Reconcile Interval In Seconds 600

Supported Resources

You can use IAMPolicy to configure IAM for the following resources.

Kind Supports Conditions Supports Audit Configs
AccessContextManagerAccessPolicy
ApigeeEnvironment Y
ArtifactRegistryRepository
BigQueryTable Y
BigtableInstance Y
BigtableTable Y
BillingAccount Y
BinaryAuthorizationPolicy Y
CloudFunctionsFunction Y
ComputeBackendBucket
ComputeDisk
ComputeImage Y
ComputeInstance Y
ComputeSnapshot
ComputeSubnetwork Y
DNSManagedZone
DataprocCluster Y
Folder Y Y
IAMServiceAccount Y
IAMWorkforcePool Y
KMSCryptoKey Y
KMSKeyRing Y
NetworkSecurityAuthorizationPolicy Y
NetworkSecurityClientTLSPolicy Y
NetworkSecurityServerTLSPolicy Y
Organization Y Y
Project Y Y
PubSubSubscription
PubSubTopic
RunJob
RunService
SecretManagerSecret
ServiceDirectoryNamespace
ServiceDirectoryService
SourceRepoRepository
SpannerDatabase Y
SpannerInstance
StorageBucket Y
Kind External Reference Formats
AccessContextManagerAccessPolicy

{{name}}

ApigeeEnvironment

organizations/{{apigee_organization}}/environments/{{name}}

ArtifactRegistryRepository

projects/{{project}}/locations/{{location}}/repositories/{{repository_id}}

BigQueryTable

projects/{{project}}/datasets/{{dataset_id}}/tables/{{table_id}}

BigtableInstance

projects/{{project}}/instances/{{name}}

BigtableTable

projects/{{project}}/instances/{{instance_name}}/tables/{{name}}

BillingAccount

{{billing_account_id}}

BinaryAuthorizationPolicy

projects/{{project}}/policy

CloudFunctionsFunction

projects/{{project}}/locations/{{region}}/functions/{{name}}

ComputeBackendBucket

projects/{{project}}/global/backendBuckets/{{name}}

ComputeDisk

projects/{{project}}/regions/{{region}}/disks/{{name}}

projects/{{project}}/zones/{{zone}}/disks/{{name}}

ComputeImage

projects/{{project}}/global/images/{{name}}

ComputeInstance

projects/{{project}}/zones/{{zone}}/instances/{{name}}

ComputeSnapshot

projects/{{project}}/global/snapshots/{{name}}

ComputeSubnetwork

projects/{{project}}/regions/{{region}}/subnetworks/{{name}}

DNSManagedZone

projects/{{project}}/managedZones/{{name}}

DataprocCluster

projects/{{project}}/regions/{{location}}/clusters/{{name}}

Folder

folders/{{folder_id}}

IAMServiceAccount

projects/{{project}}/serviceAccounts/{{account_id}}@{{project}}.iam.gserviceaccount.com

IAMWorkforcePool

locations/{{location}}/workforcePools/{{name}}

KMSCryptoKey

projects/{{project}}/locations/{{location}}/keyRings/{{key_ring_id}}/cryptoKeys/{{name}}

KMSKeyRing

projects/{{project}}/locations/{{location}}/keyRings/{{name}}

NetworkSecurityAuthorizationPolicy

projects/{{project}}/locations/{{location}}/authorizationPolicies/{{name}}

NetworkSecurityClientTLSPolicy

projects/{{project}}/locations/{{location}}/clientTlsPolicies/{{name}}

NetworkSecurityServerTLSPolicy

projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}}

Organization

{{org_id}}

Project

projects/{{project_id}}

PubSubSubscription

projects/{{project}}/subscriptions/{{name}}

PubSubTopic

projects/{{project}}/topics/{{name}}

RunJob

projects/{{project}}/locations/{{location}}/jobs/{{name}}

RunService

projects/{{project}}/locations/{{location}}/services/{{name}}

SecretManagerSecret

projects/{{project}}/secrets/{{secret_id}}

ServiceDirectoryNamespace

projects/{{project}}/locations/{{location}}/namespaces/{{namespace_id}}

ServiceDirectoryService

{{namespace}}/services/{{service_id}}

SourceRepoRepository

projects/{{project}}/repos/{{name}}

SpannerDatabase

projects/{{project}}/instances/{{instance}}/databases/{{name}}

SpannerInstance

projects/{{project}}/instances/{{name}}

StorageBucket

{{name}}

Custom Resource Definition Properties

Spec

Schema

auditConfigs:
- auditLogConfigs:
  - exemptedMembers:
    - string
    logType: string
  service: string
bindings:
- condition:
    description: string
    expression: string
    title: string
  members:
  - string
  role: string
resourceRef:
  apiVersion: string
  external: string
  kind: string
  name: string
  namespace: string
Fields

auditConfigs

Optional

list (object)

Optional. The list of IAM audit configs.

auditConfigs[]

Optional

object

Specifies the Cloud Audit Logs configuration for the IAM policy.

auditConfigs[].auditLogConfigs

Required*

list (object)

Required. The configuration for logging of each type of permission.

auditConfigs[].auditLogConfigs[]

Required*

object

auditConfigs[].auditLogConfigs[].exemptedMembers

Optional

list (string)

Identities that do not cause logging for this type of permission. The format is the same as that for 'members' in IAMPolicy/IAMPolicyMember.

auditConfigs[].auditLogConfigs[].exemptedMembers[]

Optional

string

auditConfigs[].auditLogConfigs[].logType

Required*

string

Permission type for which logging is to be configured. Must be one of 'DATA_READ', 'DATA_WRITE', or 'ADMIN_READ'.

auditConfigs[].service

Required*

string

Required. The service for which to enable Data Access audit logs. The special value 'allServices' covers all services. Note that if there are audit configs covering both 'allServices' and a specific service, then the union of the two audit configs is used for that service: the 'logTypes' specified in each 'auditLogConfig' are enabled, and the 'exemptedMembers' in each 'auditLogConfg' are exempted.

bindings

Optional

list (object)

Optional. The list of IAM bindings.

bindings[]

Optional

object

Specifies the members to bind to an IAM role.

bindings[].condition

Optional

object

Optional. The condition under which the binding applies.

bindings[].condition.description

Optional

string

bindings[].condition.expression

Required*

string

bindings[].condition.title

Required*

string

bindings[].members

Optional

list (string)

Optional. The list of IAM users to be bound to the role.

bindings[].members[]

Optional

string

bindings[].role

Required*

string

Required. The role to bind the users to.

resourceRef

Required*

object

Immutable. Required. The GCP resource to set the IAM policy on.

resourceRef.apiVersion

Optional

string

resourceRef.external

Optional

string

resourceRef.kind

Required*

string

resourceRef.name

Optional

string

resourceRef.namespace

Optional

string

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
observedGeneration: integer
Fields
conditions

list (object)

Conditions represent the latest available observations of the IAM policy's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

Sample YAML(s)

External Project Level Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# **WARNING**: The policy here represents the full declarative intent for the
# referenced project. It will fully overwrite the existing policy on the
# project.
#
# If you want finer-grained control over a project's IAM bindings, use
# IAMPolicyMember. If you want finer-grained control over audit configs, use
# IAMAuditConfig.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-sample-external-project
spec:
  resourceRef:
    kind: Project
    external: projects/iampolicy-dep-external-project
  bindings:
    - members:
        # Replace ${GSA_EMAIL?} with the Config Connector service account's
        # email address. This ensures that the Config Connector service account
        # can continue to manage the referenced project.
        - "serviceAccount:${GSA_EMAIL?}"
      role: roles/owner
    - members:
        - serviceAccount:iampolicy-dep-external-project@iampolicy-dep-external-project.iam.gserviceaccount.com
      role: roles/storage.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  annotations:
    cnrm.cloud.google.com/project-id: iampolicy-dep-external-project
  name: iampolicy-dep-external-project
---
# Creates a Project resource to demonstrate how an IAMPolicy can reference a
# Project using `external`.
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  annotations:
    cnrm.cloud.google.com/auto-create-network: "false"
  name: iampolicy-dep-external-project
spec:
  name: Config Connector Sample
  organizationRef:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    external: "${ORG_ID?}"

KMS Policy With Condition

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  labels:
    label-one: value-one
  name: iampolicy-sample-condition
spec:
  resourceRef:
    kind: KMSKeyRing
    name: iampolicy-dep-condition
  bindings:
    - role: roles/cloudkms.admin
      condition:
        title: expires_after_2019_12_31
        description: Expires at midnight of 2019-12-31
        expression: request.time < timestamp("2020-01-01T00:00:00Z")
      members:
        # replace ${PROJECT_ID?} with your project name
        - serviceAccount:iampolicy-dep-condition@${PROJECT_ID?}.iam.gserviceaccount.com
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: iampolicy-dep-condition
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
  name: iampolicy-dep-condition
spec:
  location: us-central1

Project Level Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# **WARNING**: The policy here represents the full declarative intent for the
# referenced project. It will fully overwrite the existing policy on the
# project.
#
# If you want finer-grained control over a project's IAM bindings, use
# IAMPolicyMember. If you want finer-grained control over audit configs, use
# IAMAuditConfig.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-sample-project
spec:
  resourceRef:
    kind: Project
    name: iampolicy-dep-project
  bindings:
    - members:
        # Replace ${GSA_EMAIL?} with the Config Connector service account's
        # email address. This ensures that the Config Connector service account
        # can continue to manage the referenced project.
        - "serviceAccount:${GSA_EMAIL?}"
      role: roles/owner
    - members:
        - serviceAccount:iampolicy-dep-project@iampolicy-dep-project.iam.gserviceaccount.com
      role: roles/storage.admin
  auditConfigs:
    - service: allServices
      auditLogConfigs:
        - logType: DATA_WRITE
        - logType: DATA_READ
          exemptedMembers:
            - serviceAccount:iampolicy-dep-project@iampolicy-dep-project.iam.gserviceaccount.com
    - service: compute.googleapis.com
      auditLogConfigs:
        - logType: ADMIN_READ
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  annotations:
    cnrm.cloud.google.com/project-id: iampolicy-dep-project
  name: iampolicy-dep-project
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  annotations:
    cnrm.cloud.google.com/auto-create-network: "false"
  name: iampolicy-dep-project
spec:
  name: Config Connector Sample
  organizationRef:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    external: "${ORG_ID?}"

PubSub Admin Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  labels:
    label-one: value-one
  name: iampolicy-sample-pubsubadmin
spec:
  resourceRef:
    kind: PubSubTopic
    name: iampolicy-dep-pubsubadmin
  bindings:
    - role: roles/editor
      members:
        # replace ${PROJECT_ID?} with your project name
        - serviceAccount:iampolicy-dep-pubsubadmin@${PROJECT_ID?}.iam.gserviceaccount.com
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: iampolicy-dep-pubsubadmin
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
  name: iampolicy-dep-pubsubadmin

Workload Identity Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-sample-workloadidentity
spec:
  resourceRef:
    kind: IAMServiceAccount
    name: iampolicy-dep-workloadidentity
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        # replace ${PROJECT_ID} with your project name
        - serviceAccount:${PROJECT_ID?}.svc.id.goog[default/iampolicy-dep-workloadidentity]
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: iampolicy-dep-workloadidentity
spec:
  displayName: Example Service Account
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: iampolicy-dep-workloadidentity
  annotations:
    # replace ${PROJECT_ID?} with your project name
    iam.gke.io/gcp-service-account: iampolicy-dep-workloadidentity@${PROJECT_ID?}.iam.gserviceaccount.com