3

I have created a bucket with Google Cloud Deployment Manager ( see below ) but the permissions part is ignored and I could not find any example of setting IAM on while using Google Cloud Deployment Manager. Can you help?

    resources:
    - name: {{ env["name"] }}
      type: storage.v1.bucket
      properties:
        kind: storage#bucket
        location: eu
        storageClass: MULTI_REGIONAL
        iam-policy:
          bindings:
          - role: roles/storage.objectViewer
            members:
            - allUsers
Hector Cuevas
  • 31
  • 2

2 Answers2

4

You can now decorate deployment manager objects with IAM bindings. Something like this should work:

- name: <BUCKETNAME>
  type: storage.v1.bucket
  properties:
    storageClass: REGIONAL
    location: us-west1
  accessControl:
    gcpIamPolicy:
      bindings:
      - role: roles/storage.objectViewer
        members:
        - "serviceAccount:<YOURSERVICEACCOUNT>"
      - role: roles/storage.legacyBucketOwner
        members:
        - "projectEditor:<YOURPROJECT>"
        - "projectOwner:<YOURPROJECT>"
      - role: roles/storage.legacyBucketReader
        members:
        - "projectViewer:<YOURPROJECT>"

See https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources for more information. Please note that IAM bindings are related but different from a bucket ACL and/or object ACLs. See https://cloud.google.com/storage/docs/access-control/ for more information on access control for GCS.

Also note that you will want to include the FULL set of IAM bindings in the aforementioned example.

perfectfromnowon
  • 261
  • 1
  • 7
  • This is great! `projectOwner` and `projectEditor` are documented in https://cloud.google.com/storage/docs/access-control/iam#identities, but it is not clear from the docs that they should be explicitly set in `gcpIamPolicy`. Btw we can use `projectOwner:{{ env['project'] }}` to parameterize them. – dan Jun 15 '18 at 02:28
0

There are 2 levels of access you can set - bucket level & object level. Try something like this:

 resources:
    - name: {{ env["name"] }}
      type: storage.v1.bucket
      properties:
        kind: storage#bucket
        location: eu
        storageClass: MULTI_REGIONAL
        acl:
        - role: READER
          entity: allUsers  # maybe allAuthenticatedUsers?
        defaultObjectAcl:
        - entity: allUsers  # maybe allAuthenticatedUsers?
          role: READER
drbayer
  • 191
  • 3