An Application Operator can add other Application Operators to the project through the GDC console and access to project resources.
Before you begin
Permissions are required to set up or remove role bindings. Ask your Project
IAM Admin or Organization IAM Admin to grant you the Project IAM Admin
role.
Set up role bindings
Work through the following steps to set up role bindings:
Console
- Sign in to the GDC console.
For example, the following image signs in to the GDC console for
an organization named
org-1
: - Click Select project in the menu bar. Select one of the existing
projects you want to set up the role binding in, then click Open. The
selected project displays after your org name in the menu bar. The
following example shows the selected
iam-test
project: - In the navigation menu, click Identity & Access and Access.
- Click Add member.
- In the Identity provider dropdown menu, select an identity provider.
- After Member type, choose whether you want to add individual users with User, or groups with Group. The following example shows User selected:
- In the Username or group alias field, enter the username, email address, or alias.
- In the Roles drop-down list, select the role that you want to assign to the user or group, such as Project Viewer. You can bind the selected user or group with multiple roles at a time by clicking Add Another Role.
- Click Add.
CLI
Export the user credential that you use:
export YOUR_IAM_ADMIN_KUBECONFIG=YOUR_IAM_ADMIN_KUBECONFIG
Export the email account of the user that you want to assign the role, such as
idpprefix-paul@example.com
:export USER_EMAIL=USER_EMAIL
Export the name of the role the user needs, such as
project-creator
. Refer to Role descriptions to find the appropriate role.export ROLE_NAME=ROLE_NAME
Export the name of your project namespace:
export PROJECT_NAMESPACE=PROJECT_NAMESPACE
Create a
ProjectRoleBinding
custom resource definition (CRD), and apply the following contents:kubectl --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} apply -f - <<EOF apiVersion: resourcemanager.gdc.goog/v1alpha1 kind: ProjectRoleBinding metadata: name: ${USER_EMAIL}-${ROLE_NAME}-binding namespace: ${PROJECT_NAMESPACE} spec: roleRef: apiGroup: resourcemanager.gdc.goog kind: ProjectRole name: ${ROLE_NAME} subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: ${USER_EMAIL} EOF
For cases when
ProjectRoles
require aRoleBinding
instead of aProjectRoleBinding
, refer to the Role descriptions to determine which binding type the role needs. Create aRoleBinding
in your project namespace:kubectl create --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} \ rolebinding ${USER_EMAIL}-${ROLE_NAME}-binding \ --role=${ROLE_NAME} --user=${USER_EMAIL} --namespace=${PROJECT_NAMESPACE}
Remove role bindings
When access is no longer required, remove a member and their associated roles, permissions, and access.
To remove members, work through the following steps:
Console
- Sign in to the GDC console.
- Click Select project in the menu bar. Select one of the existing projects you want to set up the role binding in, then click Open. The selected project displays after your org name in the menu bar.
- In the navigation menu, click Identity & Access and Access.
- In the authorized members list, select a member. You can remove multiple members at a time by selecting multiple members in the list.
- Click Remove All Access to remove all the role bindings associated with a member from your current project.
- When prompted, click Remove Member to confirm.
CLI
Delete the project role bindings to revoke the permission granted to the test AO account:
kubectl --kubeconfig ${AO_USER_CLUSTER_KUBECONFIG} delete projectrolebinding \
${AO_EMAIL%@*}-namespace-admin -n iam-test