IAMPolicyMember

Property Value
Google Cloud Service Name IAM
Google Cloud Service Documentation /iam/docs/
Google Cloud REST Resource Name v1.iamPolicies
Google Cloud REST Resource Documentation /iam/reference/rest/v1/iamPolicies
Config Connector Resource Short Names gcpiampolicymember
gcpiampolicymembers
iampolicymember
Config Connector Service Name iam.googleapis.com
Config Connector Resource Fully Qualified Name iampolicymembers.iam.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Supported Resources

You can use IAMPolicyMember to configure IAM for the following resources.

Kind Supports Conditions
ArtifactRegistryRepository
BigQueryTable
BigtableInstance
BigtableTable
BillingAccount Y
ComputeDisk
ComputeImage Y
ComputeInstance Y
ComputeSubnetwork Y
Folder Y
IAMServiceAccount Y
KMSCryptoKey Y
KMSKeyRing Y
Organization Y
Project Y
PubSubSubscription
PubSubTopic
SecretManagerSecret
SourceRepoRepository
SpannerDatabase
SpannerInstance
StorageBucket Y
Kind External Reference Formats
ArtifactRegistryRepository

projects/{{project}}/locations/{{location}}/repositories/{{repository_id}}

BigQueryTable

projects/{{project}}/datasets/{{dataset_id}}/tables/{{table_id}}

BigtableInstance

projects/{{project}}/instances/{{name}}

BigtableTable

projects/{{project}}/instances/{{instance_name}}/tables/{{name}}

BillingAccount

{{billing_account_id}}

ComputeDisk

projects/{{project}}/regions/{{region}}/disks/{{name}}

projects/{{project}}/zones/{{zone}}/disks/{{name}}

ComputeImage

projects/{{project}}/global/images/{{name}}

ComputeInstance

projects/{{project}}/zones/{{zone}}/instances/{{name}}

ComputeSubnetwork

projects/{{project}}/regions/{{region}}/subnetworks/{{name}}

Folder

folders/{{folder_id}}

IAMServiceAccount

projects/{{project}}/serviceAccounts/{{account_id}}@{{project}}.iam.gserviceaccount.com

KMSCryptoKey

{{key_ring}}/cryptoKeys/{{name}}

KMSKeyRing

projects/{{project}}/locations/{{location}}/keyRings/{{name}}

Organization

{{org_id}}

Project

projects/{{project_id}}

PubSubSubscription

projects/{{project}}/subscriptions/{{name}}

PubSubTopic

projects/{{project}}/topics/{{name}}

SecretManagerSecret

projects/{{project}}/secrets/{{secret_id}}

SourceRepoRepository

projects/{{project}}/repos/{{name}}

SpannerDatabase

projects/{{project}}/instances/{{instance}}/databases/{{name}}

SpannerInstance

projects/{{project}}/instances/{{name}}

StorageBucket

{{name}}

Custom Resource Definition Properties

Spec

Schema

  condition:
    description: string
    expression: string
    title: string
  member: string
  memberFrom:
    logSinkRef:
      name: string
      namespace: string
    serviceAccountRef:
      name: string
      namespace: string
  resourceRef:
    apiVersion: string
    external: string
    kind: string
    name: string
    namespace: string
  role: string
Fields

condition

Optional

object

Immutable. Optional. The condition under which the binding applies.

condition.description

Optional

string

condition.expression

Required*

string

condition.title

Required*

string

member

Optional

string

Immutable. The IAM identity to be bound to the role. Exactly one of 'member' or 'memberFrom' must be used.

memberFrom

Optional

object

Immutable. The IAM identity to be bound to the role. Exactly one of 'member' or 'memberFrom' must be used, and only one subfield within 'memberFrom' can be used.

memberFrom.logSinkRef

Optional

object

Immutable. The LoggingLogSink whose writer identity (i.e. its 'status.writerIdentity') is to be bound to the role.

memberFrom.logSinkRef.name

Required*

string

memberFrom.logSinkRef.namespace

Optional

string

memberFrom.serviceAccountRef

Optional

object

Immutable. The IAMServiceAccount to be bound to the role.

memberFrom.serviceAccountRef.name

Required*

string

memberFrom.serviceAccountRef.namespace

Optional

string

resourceRef

Required*

object

Immutable. Required. The GCP resource to set the IAM policy on.

resourceRef.apiVersion

Optional

string

resourceRef.external

Optional

string

resourceRef.kind

Required*

string

resourceRef.name

Optional

string

resourceRef.namespace

Optional

string

role

Required*

string

Immutable. Required. The role for which the Member will be bound.

* Field is required when parent field is specified

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  observedGeneration: integer
Fields
conditions

list (object)

Conditions represent the latest available observations of the IAM policy's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

Sample YAML(s)

External Organization Level Policy Member

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  # Replace ${PROJECT_ID?} and ${ORG_ID?} below with your desired project and
  # organization IDs respectively.
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-orglevel
  spec:
    member: serviceAccount:iampolicymember-dep-orglevel@${PROJECT_ID?}.iam.gserviceaccount.com
    role: roles/storage.admin
    resourceRef:
      apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
      kind: Organization
      external: "${ORG_ID?}"
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-orglevel

External Project Level Policy Member

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  # Replace ${PROJECT_ID?} below with your desired project ID.
  #
  # This sample assumes that you have created a service account named cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com.
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-projectlevel
  spec:
    member: serviceAccount:iampolicymember-dep-projectlevel@${PROJECT_ID?}.iam.gserviceaccount.com
    role: roles/storage.admin
    resourceRef:
      apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
      kind: Project
      external: projects/${PROJECT_ID?}
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-projectlevel

KMS Policy Member With Condition

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-condition
  spec:
    # replace ${PROJECT_ID?} with your project name
    member: serviceAccount:iampolicymember-dep-condition@${PROJECT_ID?}.iam.gserviceaccount.com
    role: roles/cloudkms.admin
    condition:
      title: expires_after_2019_12_31
      description: Expires at midnight of 2019-12-31
      expression: request.time < timestamp("2020-01-01T00:00:00Z")
    resourceRef:
      apiVersion: kms.cnrm.cloud.google.com/v1beta1
      kind: KMSKeyRing
      name: iampolicymember-dep-condition
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-condition
  ---
  apiVersion: kms.cnrm.cloud.google.com/v1beta1
  kind: KMSKeyRing
  metadata:
    name: iampolicymember-dep-condition
  spec:
    location: us-central1

Org Level IAM Custom Role Policy Member

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  # Replace ${PROJECT_ID?} below with your desired project ID.
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-orgrole
  spec:
    member: serviceAccount:iampolicymember-dep-orgrole@${PROJECT_ID?}.iam.gserviceaccount.com
    # Replace ${ORG_ID?} with the numeric ID of your organization
    role: organizations/${ORG_ID?}/roles/iampolicymemberdeporgrole
    resourceRef:
      apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
      kind: Project
      external: projects/${PROJECT_ID?}
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMCustomRole
  metadata:
    annotations:
      # Replace "${ORG_ID?}" with your organization ID
      cnrm.cloud.google.com/organization-id: "${ORG_ID?}"
    name: iampolicymemberdeporgrole
  spec:
    title: Example Organization-Level Custom Role
    description: This role only contains two permissions - publish and update
    permissions:
      - pubsub.topics.publish
      - pubsub.topics.update
    stage: GA
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-orgrole

Policy Member With Member Reference

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-memberref
  spec:
    memberFrom:
      serviceAccountRef:
        name: iampolicymember-dep-memberref
    role: roles/editor
    resourceRef:
      apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
      kind: PubSubTopic
      name: iampolicymember-dep-memberref
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-memberref
  ---
  apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
  kind: PubSubTopic
  metadata:
    name: iampolicymember-dep-memberref

Pubsub Admin Policy Member

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-pubsubadmin
  spec:
    # replace ${PROJECT_ID?} with your project name
    member: serviceAccount:iampolicymember-dep-pubsub@${PROJECT_ID?}.iam.gserviceaccount.com
    role: roles/editor
    resourceRef:
      apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
      kind: PubSubTopic
      name: iampolicymember-dep-pubsubadmin
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-pubsub
  ---
  apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
  kind: PubSubTopic
  metadata:
    name: iampolicymember-dep-pubsubadmin