Setting access control in a configuration

To control access to your resources in Google Cloud, you use Identity and Access Management (IAM). With IAM, you set permissions specifying who has what kind of access to which resources in your project. For an introduction to IAM, see the IAM Overview.

When you deploy resources, you can also control who has access to these resources by setting an IAM policy preemptively in your configuration. For example, if you plan to create Pub/Sub Topics that can be managed by specific users, you can express this to Deployment Manager by specifying an IAM policy in your configuration. When you create or update your deployment, Deployment Manager calls the IAM API to set the appropriate permissions on the resource.

Before you begin

Using IAM policies in Deployment Manager

An IAM policy is a collection of users and their roles. You set an IAM policy at the project level, using either basic or predefined roles. Some services, such as Cloud Pub/Sub, also support setting IAM policies at the resource level.

If a service does not support setting IAM policies at the resource level, Deployment Manager returns a NO_METHOD_TO_UPDATE_ACCESS_CONTROL error.

For a list of roles and the resources you can apply them to, see Understanding Roles.

Granting Deployment Manager permission to set IAM policies

Deployment Manager uses the Google APIs Service Account to call other Google APIs and manage Google Cloud resources on your behalf. You must grant your project's Google APIs service account the basic roles/owner role so it can apply the IAM policies you define in your configurations.

  1. Go to the IAM page in the Google Cloud console of your project.

    Go to the IAM page

  2. If prompted, select your project from the list.
  3. Look for the Google APIs service account, which has the email address in the following format:

    [PROJECT_NUMBER]@cloudservices.gserviceaccount.com
    
  4. Grant the APIs service account the roles/owner roles:

    Console

    1. While still in the Google Cloud console, expand the Roles dropdown for the Google APIs service account and select Project > Owner.
    2. Click Save to save your changes.

    gcloud

    With the Google Cloud CLI, add a binding to the IAM policy for the project:

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
        --member serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/owner

    where:

    • [PROJECT_ID] is the ID of the project.
    • [SERVICE_ACCOUNT_EMAIL] is the email of the service account.

    For example:

    gcloud projects add-iam-policy-binding database-images \
        --member serviceAccount:123456789012@cloudservices.gserviceaccount.com  \
        --role roles/owner

    API

    In the API, make a POST request to the following URL, where [PROJECT_ID] is the ID of the project:

    POST https://cloudresourcemanager.googleapis.com/v1/projects/$[PROJECT_ID]:setIamPolicy
    

    The request body should contain the list of bindings you want to apply to this project. The roles/owner role should be part of the binding. For example:

    {
        "policy": {
            "version": "0",
            "bindings": [
                {
                    "role": "roles/owner",
                    "members": [
                        "user:example@gmail.com",
                        "serviceAccount:123456789012@cloudservices.gserviceaccount.com"
                    ]
                }
            ]
        }
    }
    

Setting an IAM policy in your configuration

Next, in your configuration or template, you can set an IAM policy by following these instructions:

  1. Add the accessControl section to the top-level configuration for each resource for which you want to apply access control policies.

  2. Specify the desired gcpIamPolicy for the resource. Each IAM policy can contain a list of bindings. Each binding binds a list of members to a role.

    If you're using accessControl to manage service accounts, learn more about managing service accounts.

For example, the following accessControl section adds bindings that grant these roles to users:

User Role
alice@example.com roles/pubsub.editor
  • my-other-app@appspot.gserviceaccount.com
  • jane@example.com
roles/pubsub.publisher
resources:
- name: a-new-pubsub-topic
  type: pubsub.v1.topic
  properties:
    ...

  accessControl:
    gcpIamPolicy:
      bindings:
      - role: roles/pubsub.editor
        members:
        - "user:alice@example.com"
      - role: roles/pubsub.publisher
        members:
        - "user:jane@example.com"
        - "serviceAccount:my-other-app@appspot.gserviceaccount.com"

For more information on IAM policies, read the IAM documentation.