IAMPolicyMember

Property Value
Google Cloud Service Name Cloud IAM
Google Cloud Service Documentation /iam/docs/
Google Cloud REST Resource Name v1.iamPolicies
Google Cloud REST Resource Documentation /iam/reference/rest/v1/iamPolicies
Config Connector Resource Short Names gcpiampolicymember
gcpiampolicymembers
iampolicymember
Config Connector Service Name iam.googleapis.com
Config Connector Resource Fully Qualified Name iampolicymembers.iam.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Supported Resources

You can use IAMPolicyMember to configure IAM for the following resources.

Kind Supports Conditions
ArtifactRegistryRepository
BigQueryTable
BigtableInstance
BillingAccount Y
ComputeImage Y
ComputeInstance Y
ComputeSubnetwork Y
Folder Y
IAMServiceAccount Y
KMSCryptoKey Y
KMSKeyRing Y
Organization Y
Project Y
PubSubSubscription
PubSubTopic
SecretManagerSecret
SourceRepoRepository
SpannerDatabase
SpannerInstance
StorageBucket Y
Kind External Reference Formats
ArtifactRegistryRepository

projects/{{project}}/locations/{{location}}/repositories/{{repository_id}}

BigQueryTable

projects/{{project}}/datasets/{{dataset_id}}/tables/{{table_id}}

BigtableInstance

projects/{{project}}/instances/{{name}}

BillingAccount

{{billing_account_id}}

ComputeImage

projects/{{project}}/global/images/{{name}}

ComputeInstance

projects/{{project}}/zones/{{zone}}/instances/{{name}}

ComputeSubnetwork

projects/{{project}}/regions/{{region}}/subnetworks/{{name}}

Folder

folders/{{folder_id}}

IAMServiceAccount

projects/{{project}}/serviceAccounts/{{account_id}}@{{project}}.iam.gserviceaccount.com

KMSCryptoKey

{{key_ring}}/cryptoKeys/{{name}}

KMSKeyRing

projects/{{project}}/locations/{{location}}/keyRings/{{name}}

Organization

{{org_id}}

Project

projects/{{project_id}}

PubSubSubscription

projects/{{project}}/subscriptions/{{name}}

PubSubTopic

projects/{{project}}/topics/{{name}}

SecretManagerSecret

projects/{{project}}/secrets/{{secret_id}}

SourceRepoRepository

projects/{{project}}/repos/{{name}}

SpannerDatabase

projects/{{project}}/instances/{{instance}}/databases/{{name}}

SpannerInstance

projects/{{project}}/instances/{{name}}

StorageBucket

{{name}}

Custom Resource Definition Properties

Spec

Schema

  condition:
    description: string
    expression: string
    title: string
  member: string
  resourceRef:
    apiVersion: string
    external: string
    kind: string
    name: string
    namespace: string
  role: string
Fields

condition

Optional

object

Immutable. Optional. The condition under which the binding applies.

condition.description

Optional

string

condition.expression

Required*

string

condition.title

Required*

string

member

Required*

string

Immutable. Required. The list of IAM identities to be bound to the role

resourceRef

Required*

object

Immutable. Required. The GCP resource to set the IAM policy on.

resourceRef.apiVersion

Optional

string

resourceRef.external

Optional

string

resourceRef.kind

Required*

string

resourceRef.name

Optional

string

resourceRef.namespace

Optional

string

role

Required*

string

Immutable. Required. The role for which the Member will be bound.

* Field is required when parent field is specified

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
Fields
conditions

list (object)

Conditions represents the latest available observations of the IAM policy's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

Sample YAML(s)

External Organization Level Policy Member

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  # Replace ${PROJECT_ID?} and ${ORG_ID?} below with your desired project and
  # organization IDs respectively.
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-orglevel
  spec:
    member: serviceAccount:iampolicymember-dep-orglevel@${PROJECT_ID?}.iam.gserviceaccount.com
    role: roles/storage.admin
    resourceRef:
      apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
      kind: Organization
      external: "${ORG_ID?}"
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-orglevel

External Project Level Policy Member

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  # Replace ${PROJECT_ID?} below with your desired project ID.
  #
  # This sample assumes that you have created a service account named cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com.
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-projectlevel
  spec:
    member: serviceAccount:iampolicymember-dep-projectlevel@${PROJECT_ID?}.iam.gserviceaccount.com
    role: roles/storage.admin
    resourceRef:
      apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
      kind: Project
      external: projects/${PROJECT_ID?}
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-projectlevel

KMS Policy Member With Condition

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-condition
  spec:
    # replace ${PROJECT_ID?} with your project name
    member: serviceAccount:iampolicymember-dep-condition@${PROJECT_ID?}.iam.gserviceaccount.com
    role: roles/cloudkms.admin
    condition:
      title: expires_after_2019_12_31
      description: Expires at midnight of 2019-12-31
      expression: request.time < timestamp("2020-01-01T00:00:00Z")
    resourceRef:
      apiVersion: kms.cnrm.cloud.google.com/v1beta1
      kind: KMSKeyRing
      name: iampolicymember-dep-condition
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-condition
  ---
  apiVersion: kms.cnrm.cloud.google.com/v1beta1
  kind: KMSKeyRing
  metadata:
    name: iampolicymember-dep-condition
  spec:
    location: us-central1

Org Level IAM Custom Role Policy Member

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  # Replace ${PROJECT_ID?} below with your desired project ID.
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-orgrole
  spec:
    member: serviceAccount:iampolicymember-dep-orgrole@${PROJECT_ID?}.iam.gserviceaccount.com
    # Replace ${ORG_ID?} with the numeric ID of your organization, and replace
    # ${ROLE_ID?} with your IAM custom role ID.
    role: organizations/${ORG_ID?}/roles/${ROLE_ID?}
    resourceRef:
      apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
      kind: Project
      external: projects/${PROJECT_ID?}
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-orgrole

Pubsub Admin Policy Member

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-sample-pubsubadmin
  spec:
    # replace ${PROJECT_ID?} with your project name
    member: serviceAccount:iampolicymember-dep-pubsub@${PROJECT_ID?}.iam.gserviceaccount.com
    role: roles/editor
    resourceRef:
      apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
      kind: PubSubTopic
      name: iampolicymember-dep-pubsubadmin
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iampolicymember-dep-pubsub
  ---
  apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
  kind: PubSubTopic
  metadata:
    name: iampolicymember-dep-pubsubadmin