Grant access to project resources

An Application Operator can add other Application Operators to the project through the GDC console and access to project resources.

Before you begin

Permissions are required to set up or remove role bindings. Ask your Project IAM Admin or Organization IAM Admin to grant you the Project IAM Admin role.

Set up role bindings

Work through the following steps to set up role bindings:

Console

  1. Sign in to the GDC console. For example, the following image signs in to the GDC console for an organization named org-1:
  2. Click Select project in the menu bar. Select one of the existing projects you want to set up the role binding in, then click Open. The selected project displays after your org name in the menu bar. The following example shows the selected iam-test project:
  3. In the navigation menu, click Identity & Access and Access.
  4. Click Add member.
  5. In the Identity provider dropdown menu, select an identity provider.
  6. After Member type, choose whether you want to add individual users with User, or groups with Group. The following example shows User selected:
  7. In the Username or group alias field, enter the username, email address, or alias.
  8. In the Roles drop-down list, select the role that you want to assign to the user or group, such as Project Viewer. You can bind the selected user or group with multiple roles at a time by clicking Add Another Role.
  9. Click Add.

CLI

  1. Export the user credential that you use:

    export YOUR_IAM_ADMIN_KUBECONFIG=YOUR_IAM_ADMIN_KUBECONFIG
    
  2. Export the email account of the user that you want to assign the role, such as idpprefix-paul@example.com:

    export USER_EMAIL=USER_EMAIL
    
  3. Export the name of the role the user needs, such as project-creator. Refer to Role descriptions to find the appropriate role.

    export ROLE_NAME=ROLE_NAME
    
  4. Export the name of your project namespace:

    export PROJECT_NAMESPACE=PROJECT_NAMESPACE
    
  5. Create a ProjectRoleBinding custom resource definition (CRD), and apply the following contents:

    kubectl --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} apply -f - <<EOF
    apiVersion: resourcemanager.gdc.goog/v1alpha1
    kind: ProjectRoleBinding
    metadata:
    name: ${USER_EMAIL}-${ROLE_NAME}-binding
    namespace: ${PROJECT_NAMESPACE}
    spec:
    roleRef:
        apiGroup: resourcemanager.gdc.goog
        kind: ProjectRole
        name: ${ROLE_NAME}
    subjects:
    - apiGroup: rbac.authorization.k8s.io
        kind: User
        name: ${USER_EMAIL}
    EOF
    

    For cases when ProjectRoles require a RoleBinding instead of a ProjectRoleBinding, refer to the Role descriptions to determine which binding type the role needs. Create a RoleBinding in your project namespace:

    kubectl create --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} \
    rolebinding ${USER_EMAIL}-${ROLE_NAME}-binding \
    --role=${ROLE_NAME} --user=${USER_EMAIL} --namespace=${PROJECT_NAMESPACE}
    

Remove role bindings

When access is no longer required, remove a member and their associated roles, permissions, and access.

To remove members, work through the following steps:

Console

  1. Sign in to the GDC console.
  2. Click Select project in the menu bar. Select one of the existing projects you want to set up the role binding in, then click Open. The selected project displays after your org name in the menu bar.
  3. In the navigation menu, click Identity & Access and Access.
  4. In the authorized members list, select a member. You can remove multiple members at a time by selecting multiple members in the list.
  5. Click Remove All Access to remove all the role bindings associated with a member from your current project.
  6. When prompted, click Remove Member to confirm.

CLI

Delete the project role bindings to revoke the permission granted to the test AO account:

kubectl --kubeconfig ${AO_USER_CLUSTER_KUBECONFIG} delete projectrolebinding \
${AO_EMAIL%@*}-namespace-admin -n iam-test