Manager在项目中分配IAM策略

Manager在项目中分配IAM策略

本文介绍了Google Deployment Manager在项目中分配IAM策略的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用IAM策略更新项目.在GCP Deployment Manager的模板中,它们使用的是python Jinja文件,但是我想添加IAM策略(为用户/服务帐户分配一些角色).有人可以修改Jinja/配置文件并指出如何修改吗?

I am using to update a project with IAM policies. in GCP deployment manager's templates, they are using python Jinja file, but I would like to add IAM policy (assign a user/service account some role). Can someone modify the Jinja/ config file and pinpoint how I can modify?

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/examples/v2/project_creation/config.yaml

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/examples/v2/project_creation/project.py

推荐答案

这是一个jinja片段,它创建一个新的服务帐户并将其作为所有者添加到现有项目中.这要求分配部署管理器正确的访问权限管理该项目的IAM.

Here's a jinja snippet that creates a new service account and adds it as an owner to an existing project. This requires assigning deployment manager the proper access to manage IAM for the project.

{% set deployment = env['deployment'] %}
{% set project = env['project'] %}

resources:
- name: {{ deployment }}-svc-account
  type: iam.v1.serviceAccount
  properties:
    accountId: {{ deployment }}-svc-account
    displayName: {{ deployment }}-svc-account

- name: get-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
  properties:
    resource: {{ project }}
  metadata:
    runtimePolicy:
    - 'UPDATE_ALWAYS'

- name: patch-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
  properties:
    resource: {{ project }}
    policy: $(ref.get-iam-policy)
    gcpIamPolicyPatch:
      add:
      - role: roles/owner
        members:
        - serviceAccount:$(ref.{{ deployment }}-svc-account.email)

这篇关于Google Deployment Manager在项目中分配IAM策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-02 19:48