| Property | Value |
|---|---|
| Google Cloud Service Name | IAM |
| Google Cloud Service Documentation | /iam/docs/ |
| Google Cloud REST Resource Name | v1.iamPolicies |
| Google Cloud REST Resource Documentation | /iam/reference/rest/v1/iamPolicies |
| Config Connector Resource Short Names | gcpiampolicymember gcpiampolicymembers iampolicymember |
| Config Connector Service Name | iam.googleapis.com |
| Config Connector Resource Fully Qualified Name | iampolicymembers.iam.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
Supported Resources
You can use IAMPolicyMember to configure IAM for
the following resources.
| Kind | Supports Conditions |
|---|---|
ArtifactRegistryRepository |
|
BigQueryTable |
|
BigtableInstance |
|
BigtableTable |
|
BillingAccount |
Y |
ComputeDisk |
|
ComputeImage |
Y |
ComputeInstance |
Y |
ComputeSubnetwork |
Y |
Folder |
Y |
IAMServiceAccount |
Y |
KMSCryptoKey |
Y |
KMSKeyRing |
Y |
Organization |
Y |
Project |
Y |
PubSubSubscription |
|
PubSubTopic |
|
SecretManagerSecret |
|
SourceRepoRepository |
|
SpannerDatabase |
|
SpannerInstance |
|
StorageBucket |
Y |
| Kind | External Reference Formats |
|---|---|
ArtifactRegistryRepository |
|
BigQueryTable |
|
BigtableInstance |
|
BigtableTable |
|
BillingAccount |
|
ComputeDisk |
|
ComputeImage |
|
ComputeInstance |
|
ComputeSubnetwork |
|
Folder |
|
IAMServiceAccount |
|
KMSCryptoKey |
|
KMSKeyRing |
|
Organization |
|
Project |
|
PubSubSubscription |
|
PubSubTopic |
|
SecretManagerSecret |
|
SourceRepoRepository |
|
SpannerDatabase |
|
SpannerInstance |
|
StorageBucket |
|
Custom Resource Definition Properties
Spec
Schema
condition:
description: string
expression: string
title: string
member: string
memberFrom:
logSinkRef:
name: string
namespace: string
serviceAccountRef:
name: string
namespace: string
resourceRef:
apiVersion: string
external: string
kind: string
name: string
namespace: string
role: string
| Fields | |
|---|---|
|
Optional |
Immutable. Optional. The condition under which the binding applies. |
|
Optional |
|
|
Required* |
|
|
Required* |
|
|
Optional |
Immutable. The IAM identity to be bound to the role. Exactly one of 'member' or 'memberFrom' must be used. |
|
Optional |
Immutable. The IAM identity to be bound to the role. Exactly one of 'member' or 'memberFrom' must be used, and only one subfield within 'memberFrom' can be used. |
|
Optional |
Immutable. The LoggingLogSink whose writer identity (i.e. its 'status.writerIdentity') is to be bound to the role. |
|
Required* |
|
|
Optional |
|
|
Optional |
Immutable. The IAMServiceAccount to be bound to the role. |
|
Required* |
|
|
Optional |
|
|
Required* |
Immutable. Required. The GCP resource to set the IAM policy on. |
|
Optional |
|
|
Optional |
|
|
Required* |
|
|
Optional |
|
|
Optional |
|
|
Required* |
Immutable. Required. The role for which the Member will be bound. |
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
observedGeneration: integer
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observations of the IAM policy's current state. |
conditions.[] |
|
conditions.[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions.[].message |
Human-readable message indicating details about last transition. |
conditions.[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions.[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions.[].type |
Type is the type of the condition. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
Sample YAML(s)
External Organization Level Policy Member
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Replace ${PROJECT_ID?} and ${ORG_ID?} below with your desired project and
# organization IDs respectively.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-orglevel
spec:
member: serviceAccount:iampolicymember-dep-orglevel@${PROJECT_ID?}.iam.gserviceaccount.com
role: roles/storage.admin
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Organization
external: "${ORG_ID?}"
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-orglevel
External Project Level Policy Member
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Replace ${PROJECT_ID?} below with your desired project ID.
#
# This sample assumes that you have created a service account named cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-projectlevel
spec:
member: serviceAccount:iampolicymember-dep-projectlevel@${PROJECT_ID?}.iam.gserviceaccount.com
role: roles/storage.admin
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
external: projects/${PROJECT_ID?}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-projectlevel
KMS Policy Member With Condition
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-condition
spec:
# replace ${PROJECT_ID?} with your project name
member: serviceAccount:iampolicymember-dep-condition@${PROJECT_ID?}.iam.gserviceaccount.com
role: roles/cloudkms.admin
condition:
title: expires_after_2019_12_31
description: Expires at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
resourceRef:
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
name: iampolicymember-dep-condition
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-condition
---
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
name: iampolicymember-dep-condition
spec:
location: us-central1
Org Level IAM Custom Role Policy Member
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Replace ${PROJECT_ID?} below with your desired project ID.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-orgrole
spec:
member: serviceAccount:iampolicymember-dep-orgrole@${PROJECT_ID?}.iam.gserviceaccount.com
# Replace ${ORG_ID?} with the numeric ID of your organization
role: organizations/${ORG_ID?}/roles/iampolicymemberdeporgrole
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
external: projects/${PROJECT_ID?}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMCustomRole
metadata:
annotations:
# Replace "${ORG_ID?}" with your organization ID
cnrm.cloud.google.com/organization-id: "${ORG_ID?}"
name: iampolicymemberdeporgrole
spec:
title: Example Organization-Level Custom Role
description: This role only contains two permissions - publish and update
permissions:
- pubsub.topics.publish
- pubsub.topics.update
stage: GA
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-orgrole
Policy Member With Member Reference
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-memberref
spec:
memberFrom:
serviceAccountRef:
name: iampolicymember-dep-memberref
role: roles/editor
resourceRef:
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
name: iampolicymember-dep-memberref
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-memberref
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
name: iampolicymember-dep-memberref
Pubsub Admin Policy Member
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: iampolicymember-sample-pubsubadmin
spec:
# replace ${PROJECT_ID?} with your project name
member: serviceAccount:iampolicymember-dep-pubsub@${PROJECT_ID?}.iam.gserviceaccount.com
role: roles/editor
resourceRef:
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
name: iampolicymember-dep-pubsubadmin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iampolicymember-dep-pubsub
---
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
name: iampolicymember-dep-pubsubadmin