| Property | Value |
|---|---|
| Google Cloud Service Name | IAM |
| Google Cloud Service Documentation | /iam/docs/ |
| Google Cloud REST Resource Name | v1.iamPolicies |
| Google Cloud REST Resource Documentation | /iam/reference/rest/v1/iamPolicies |
| Config Connector Resource Short Names | gcpiampolicymember gcpiampolicymembers iampolicymember |
| Config Connector Service Name | iam.googleapis.com |
| Config Connector Resource Fully Qualified Name | iampolicymembers.iam.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
Supported Resources
You can use IAMPolicyMember to configure IAM for the following resources.
| Kind | Supports Conditions |
|---|---|
ArtifactRegistryRepository |
|
BigQueryTable |
|
BigtableInstance |
|
BigtableTable |
|
BillingAccount |
Y |
ComputeDisk |
|
ComputeImage |
Y |
ComputeInstance |
Y |
ComputeSubnetwork |
Y |
Folder |
Y |
IAMServiceAccount |
Y |
KMSCryptoKey |
Y |
KMSKeyRing |
Y |
Organization |
Y |
Project |
Y |
PubSubSubscription |
|
PubSubTopic |
|
SecretManagerSecret |
|
SourceRepoRepository |
|
SpannerDatabase |
|
SpannerInstance |
|
StorageBucket |
Y |
| Kind | External Reference Formats |
|---|---|
ArtifactRegistryRepository |
|
BigQueryTable |
|
BigtableInstance |
|
BigtableTable |
|
BillingAccount |
|
ComputeDisk |
|
ComputeImage |
|
ComputeInstance |
|
ComputeSubnetwork |
|
Folder |
|
IAMServiceAccount |
|
KMSCryptoKey |
|
KMSKeyRing |
|
Organization |
|
Project |
|
PubSubSubscription |
|
PubSubTopic |
|
SecretManagerSecret |
|
SourceRepoRepository |
|
SpannerDatabase |
|
SpannerInstance |
|
StorageBucket |
|
Custom Resource Definition Properties
Spec
Schema
condition:
description: string
expression: string
title: string
member: string
memberFrom:
logSinkRef:
name: string
namespace: string
serviceAccountRef:
name: string
namespace: string
resourceRef:
apiVersion: string
external: string
kind: string
name: string
namespace: string
role: string
| Fields | |
|---|---|
|
Optional |
Immutable. Optional. The condition under which the binding applies. |
|
Optional |
|
|
Required* |
|
|
Required* |
|
|
Optional |
Immutable. The IAM identity to be bound to the role. Exactly one of 'member' or 'memberFrom' must be used. |
|
Optional |
Immutable. The IAM identity to be bound to the role. Exactly one of 'member' or 'memberFrom' must be used, and only one subfield within 'memberFrom' can be used. |
|
Optional |
Immutable. The LoggingLogSink whose writer identity (i.e. its 'status.writerIdentity') is to be bound to the role. |
|
Required* |
|
|
Optional |
|
|
Optional |
Immutable. The IAMServiceAccount to be bound to the role. |
|
Required* |
|
|
Optional |
|
|
Required* |
Immutable. Required. The GCP resource to set the IAM policy on. |
|
Optional |
|
|
Optional |
|
|
Required* |
|
|
Optional |
|
|
Optional |
|
|
Required* |
Immutable. Required. The role for which the Member will be bound. |
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observations of the IAM policy's current state. |
conditions.[] |
|
conditions.[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions.[].message |
Human-readable message indicating details about last transition. |
conditions.[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions.[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions.[].type |
Type is the type of the condition. |
Sample YAML(s)
External Organization Level Policy Member
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Replace ${PROJECT_ID?} and ${ORG_ID?} below with your desired project and
# organization IDs respectively.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-orglevel
spec:
member: serviceAccount:iampolicymember-dep-orglevel@${PROJECT_ID?}.iam.gserviceaccount.com
role: roles/storage.admin
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Organization
external: "${ORG_ID?}"
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-orglevel
External Project Level Policy Member
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Replace ${PROJECT_ID?} below with your desired project ID.
#
# This sample assumes that you have created a service account named cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-projectlevel
spec:
member: serviceAccount:iampolicymember-dep-projectlevel@${PROJECT_ID?}.iam.gserviceaccount.com
role: roles/storage.admin
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
external: projects/${PROJECT_ID?}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-projectlevel
KMS Policy Member With Condition
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-condition
spec:
# replace ${PROJECT_ID?} with your project name
member: serviceAccount:iampolicymember-dep-condition@${PROJECT_ID?}.iam.gserviceaccount.com
role: roles/cloudkms.admin
condition:
title: expires_after_2019_12_31
description: Expires at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
resourceRef:
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
name: iampolicymember-dep-condition
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-condition
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
name: iampolicymember-dep-condition
spec:
location: us-central1
Org Level IAM Custom Role Policy Member
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Replace ${PROJECT_ID?} below with your desired project ID.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-orgrole
spec:
member: serviceAccount:iampolicymember-dep-orgrole@${PROJECT_ID?}.iam.gserviceaccount.com
# Replace ${ORG_ID?} with the numeric ID of your organization
role: organizations/${ORG_ID?}/roles/iampolicymemberdeporgrole
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
external: projects/${PROJECT_ID?}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMCustomRole
metadata:
annotations:
# Replace "${ORG_ID?}" with your organization ID
cnrm.cloud.google.com/organization-id: "${ORG_ID?}"
name: iampolicymemberdeporgrole
spec:
title: Example Organization-Level Custom Role
description: This role only contains two permissions - publish and update
permissions:
- pubsub.topics.publish
- pubsub.topics.update
stage: GA
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-orgrole
Policy Member With Member Reference
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-memberref
spec:
memberFrom:
serviceAccountRef:
name: iampolicymember-dep-memberref
role: roles/editor
resourceRef:
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
name: iampolicymember-dep-memberref
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-memberref
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
name: iampolicymember-dep-memberref
Pubsub Admin Policy Member
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-pubsubadmin
spec:
# replace ${PROJECT_ID?} with your project name
member: serviceAccount:iampolicymember-dep-pubsub@${PROJECT_ID?}.iam.gserviceaccount.com
role: roles/editor
resourceRef:
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
name: iampolicymember-dep-pubsubadmin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-pubsub
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
name: iampolicymember-dep-pubsubadmin