IAMPolicy

Property Value
Google Cloud Service Name Cloud IAM
Google Cloud Service Documentation /iam/docs/
Google Cloud REST Resource Name v1.iamPolicies
Google Cloud REST Resource Documentation /iam/reference/rest/v1/iamPolicies
Config Connector Resource Short Names iampolicy
Config Connector Service Name iam.googleapis.com
Config Connector Resource Fully Qualified Name iampolicies.iam.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

When creating an IAMPolicy object, Config Connector will set the IAMPolicy on the associated GCP resource. Any existing value for the will be overwritten. If you are unsure about any existing policies on a resource it is recommended that you use IAMPolicyMember which allows you to make changes with a more limited potential impact.

Updating the resourceRef field of the spec is not allowed.

Custom Resource Definition Properties

Spec

Schema

bindings:
- condition:
    description: string
    expression: string
    title: string
  members:
  - string
  role: string
resourceRef:
  apiVersion: string
  external: string
  kind: string
  name: string
  namespace: string
Fields

bindings

Optional

list (object)

bindings.[]

Optional

object

bindings.[].condition

Optional

object

Optional. The condition under which the binding applies.

bindings.[].condition.description

Optional

string

bindings.[].condition.expression

Required*

string

bindings.[].condition.title

Required*

string

bindings.[].members

Optional

list (string)

bindings.[].members.[]

Optional

string

bindings.[].role

Required*

string

Required. The role to bind the users to.

resourceRef

Required*

object

Required. The GCP resource to set the IAM policy on.

resourceRef.apiVersion

Optional

string

resourceRef.external

Optional

string

resourceRef.kind

Required*

string

resourceRef.name

Optional

string

resourceRef.namespace

Optional

string

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
Fields
conditions

list (object)

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

Sample YAML(s)

External Project Level Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  annotations:
    # By default, the underlying GCP resource is deleted upon deletion of the
    # K8s resource representing it (i.e. the entire IAM policy object of the
    # GCP project will be wiped out if you delete this IAMPolicy resource). Set
    # the 'deletion-policy' to 'abandon' to prevent the underlying GCP resource
    # from being deleted upon deletion of this K8s resource.
    cnrm.cloud.google.com/deletion-policy: "abandon"
  labels:
    label-one: value-one
  name: iampolicy-sample-projectlevel
spec:
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${PROJECT_ID?}
  # **WARNING**: The bindings here represent the full declarative intent for the project.
  # It will fully overwrite the existing policy on the given project.
  #
  # For finer-grained control over the project's IAM policy, it is recommended
  # that the IAMPolicyMember resource be used instead.
  #
  # This sample assumes the following additional APIs are enabled:
  #   - compute.googleapis.com
  #   - container.googleapis.com
  #   - containerregistry.googleapis.com
  #   - redis.googleapis.com
  #
  # Replace ${PROJECT_ID?}, ${PROJECT_NUMBER?}, and ${PROJECT_NAME?} with your desired project ID,
  # that project's project number, and your Google Cloud account email respectively.
  bindings:
    - members:
        - serviceAccount:service-${PROJECT_NUMBER?}@compute-system.iam.gserviceaccount.com
      role: roles/compute.serviceAgent
    - members:
        - serviceAccount:service-${PROJECT_NUMBER?}@container-engine-robot.iam.gserviceaccount.com
      role: roles/container.serviceAgent
    - members:
        - serviceAccount:${PROJECT_NUMBER?}-compute@developer.gserviceaccount.com
        - serviceAccount:${PROJECT_NUMBER?}@cloudservices.gserviceaccount.com
        - serviceAccount:cnrm-application-demo@${PROJECT_ID?}.iam.gserviceaccount.com
        - serviceAccount:service-${PROJECT_NUMBER?}@containerregistry.iam.gserviceaccount.com
      role: roles/editor
    - members:
        # Make sure to keep the "cnrm-system" service account permission, or else Config Connector will
        # be locked out from managing GCP resources.
        - serviceAccount:cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com
        # Ensure that your account is not locked out of the project.
        - user:${PROJECT_NAME?}
      role: roles/owner
    - members:
        - serviceAccount:service-${PROJECT_NUMBER?}@cloud-redis.iam.gserviceaccount.com
      role: roles/redis.serviceAgent
    - members:
        - serviceAccount:cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com
      role: roles/storage.admin

KMS Policy With Condition

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  labels:
    label-one: value-one
  name: iampolicy-sample-condition
spec:
  resourceRef:
    apiVersion: kms.cnrm.cloud.google.com/v1beta1
    kind: KMSKeyRing
    name: iampolicy-dep-condition
  bindings:
    - role: roles/cloudkms.admin
      condition:
        title: expires_after_2019_12_31
        description: Expires at midnight of 2019-12-31
        expression: request.time < timestamp("2020-01-01T00:00:00Z")
      members:
        # replace ${PROJECT_ID?} with your project name
        - serviceAccount:iampolicy-dep-condition@${PROJECT_ID?}.iam.gserviceaccount.com
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: iampolicy-dep-condition
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
  name: iampolicy-dep-condition
spec:
  location: us-central1

Pubsub Admin Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  labels:
    label-one: value-one
  name: iampolicy-sample-pubsubadmin
spec:
  resourceRef:
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubTopic
    name: iampolicy-dep-pubsubadmin
  bindings:
    - role: roles/editor
      members:
        # replace ${PROJECT_ID?} with your project name
        - serviceAccount:iampolicy-dep-pubsubadmin@${PROJECT_ID?}.iam.gserviceaccount.com
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: iampolicy-dep-pubsubadmin
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
  name: iampolicy-dep-pubsubadmin

Workload Identity Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-sample-workloadidentity
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: iampolicy-dep-workloadidentity
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        # replace ${PROJECT_ID} with your project name
        - serviceAccount:${PROJECT_ID?}.svc.id.goog[default/iampolicy-dep-workloadidentity]
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: iampolicy-dep-workloadidentity
spec:
  displayName: Example Service Account
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: iampolicy-dep-workloadidentity
  annotations:
    # replace ${PROJECT_ID?} with your project name
    iam.gke.io/gcp-service-account: iampolicy-dep-workloadidentity@${PROJECT_ID?}.iam.gserviceaccount.com