本文介绍了Google Deployment Manager在项目中分配IAM策略的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在使用IAM策略更新项目.在GCP Deployment Manager的模板中,它们使用的是python Jinja文件,但是我想添加IAM策略(为用户/服务帐户分配一些角色).有人可以修改Jinja/配置文件并指出如何修改吗?
I am using to update a project with IAM policies. in GCP deployment manager's templates, they are using python Jinja file, but I would like to add IAM policy (assign a user/service account some role). Can someone modify the Jinja/ config file and pinpoint how I can modify?
推荐答案
这是一个jinja片段,它创建一个新的服务帐户并将其作为所有者添加到现有项目中.这要求分配部署管理器正确的访问权限管理该项目的IAM.
Here's a jinja snippet that creates a new service account and adds it as an owner to an existing project. This requires assigning deployment manager the proper access to manage IAM for the project.
{% set deployment = env['deployment'] %}
{% set project = env['project'] %}
resources:
- name: {{ deployment }}-svc-account
type: iam.v1.serviceAccount
properties:
accountId: {{ deployment }}-svc-account
displayName: {{ deployment }}-svc-account
- name: get-iam-policy
action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
properties:
resource: {{ project }}
metadata:
runtimePolicy:
- 'UPDATE_ALWAYS'
- name: patch-iam-policy
action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
properties:
resource: {{ project }}
policy: $(ref.get-iam-policy)
gcpIamPolicyPatch:
add:
- role: roles/owner
members:
- serviceAccount:$(ref.{{ deployment }}-svc-account.email)
这篇关于Google Deployment Manager在项目中分配IAM策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!