2

I am using to update a project with IAM policies. in GCP deployment manager's templates, they are using python Jinja file, but I would like to add IAM policy (assign a user/service account some role). Can someone modify the Jinja/ config file and pinpoint how I can modify?

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/examples/v2/project_creation/config.yaml

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/examples/v2/project_creation/project.py

zero323
  • 322,348
  • 103
  • 959
  • 935
Sanmay Mishra
  • 25
  • 1
  • 2

6 Answers6

10

Please follow Adam Ocsvari's example to assign IAM policy. The old method was to get all the IAM binding policies, add a few role -> members bindings, then set all the bindings. He's providing a new method using 'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding'. I used one of the links he provided to find the python template that assigned IAM policy bindings. The code there has a nested loop. I only needed to create a single service account and assign 1 binding:

service-accounts.py

def GenerateConfig(context):
    project_id = context.env['project']
    service_account = context.properties['service-account']

    resources = [
        {
            'name': service_account,
            'type': 'iam.v1.serviceAccount',
            'properties': {
                'accountId': service_account,
                'displayName': service_account,
                'projectId': project_id
            }
        },
        {
            'name': 'bind-iam-policy',
            'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding',
            'properties': {
                'resource': project_id,
                'role': 'roles/dataflow.admin',
                'member': 'serviceAccount:$(ref.' + service_account + '.email)'
            },
            'metadata': {
                'dependsOn': [service_account]
            }
        }
    ]

    return {'resources': resources}

service-accounts.yaml

imports:
  - path: service-accounts.py

resources:
  - name: service-accounts
    type: service-accounts.py
    properties:
      project: [*YOUR_PROJECT_ID*]
      service-account: k8s-service-account

this example creates a k8s-service-account and assigns Dataflow admin role to it. Make sure you Grant Deployment Manager permission to set IAM policies before you start.

Hil Liao
  • 101
  • 1
  • 3
  • Tried this and it works out but I would like to add a condition to the role binding. How can I go about doing it? Adding afield like "condition" under properties isn't a valid syntax. Any idea? – Sandeep Hari Hara Bhat May 06 '22 at 11:10
9

Here's a jinja snippet that creates a new service account and adds it as an owner to an existing project. This requires assigning deployment manager the proper access to manage IAM for the project.

{% set deployment = env['deployment'] %}
{% set project = env['project'] %}

resources:
- name: {{ deployment }}-svc-account
  type: iam.v1.serviceAccount
  properties:
    accountId: {{ deployment }}-svc-account
    displayName: {{ deployment }}-svc-account

- name: get-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
  properties:
    resource: {{ project }}
  metadata:
    runtimePolicy:
    - 'UPDATE_ALWAYS'

- name: patch-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
  properties:
    resource: {{ project }}
    policy: $(ref.get-iam-policy)
    gcpIamPolicyPatch:
      add:
      - role: roles/owner
        members:
        - serviceAccount:$(ref.{{ deployment }}-svc-account.email)
Jeff Johnson
  • 116
  • 6
  • This is great and works, but where did `action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy` come from? It's not mentioned explicitly [here](https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources), other than the API call's URL ending in `setIamPolicy`. – davetapley Apr 02 '19 at 21:50
  • i have the same question. Where did 'action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy" come from ? – Gabriel Wu Apr 09 '19 at 00:53
  • 1
    There's something missed here. According to https://cloud.google.com/deployment-manager/docs/access-control DM uses [PROJECT_NUMBER]@cloudservices.gserviceaccount.com and quote "Note: If you are using Deployment Manager to manage critical resources, such as projects or custom IAM roles, you must assign additional IAM roles to the default Google APIs service account. " so Resource Manager -> Project IAM admin needs to be assigned to it so that above configuration can work – Gabriel Wu Apr 09 '19 at 07:30
3

Please avoid using these solutions:

gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy

It can cause concurrent IAM policy update errors. The Deployment Manager team is providing a new type binding this 2 actions together:

  'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding',

Check out the following implementations as part of the Cloud Foundation Toolkit provided by Google Cloud:

Cloud Foundation Toolkit NEW repo - IAM binding

Cloud Foundation Toolkit OLD repo - IAM binding

Cloud Foundation Toolkit NEW repo - Project Creation Factory

Adam Ocsvari
  • 8,056
  • 2
  • 17
  • 30
1

You need to make changes to the below part of the config.yaml file and add the users or service accounts according to your need under the members line. 

 iam-policy:
      bindings:
      - role: roles/owner
        members:
        - serviceAccount:98765432111@cloudservices.gserviceaccount.com
        - serviceAccount:98765432100@cloudservices.gserviceaccount.com
      - role: roles/viewer
        members:
        - user:iamtester@deployment-manager.net

For example: You can add -user:foo@bar.com under members tab in proper section to make it owner or viewer of the project.

Taher
  • 572
  • 2
  • 11
  • Does "iam-policy" need to be in jinja template? I am clear about what needs to be in config.. but what does my jinja template need to look like? in the example, they have cloudresourcemanager.projects.setIamPolicy in project.py.. how would my jinja template need to look? – Sanmay Mishra Feb 10 '18 at 05:04
  • Hi @SanmayMishra, yes it is required as the `iam-policy` in jinja template is setting [IAM access control policy for the project](https://cloud.google.com/resource-manager/reference/rest/#rest-resource-v1beta1projects). Your template should be according to your custom requirement. – Taher Feb 13 '18 at 20:18
0

My code to add permissions to a service account.

{% set deployment = env['deployment'] %}
{% set project = env['project'] %}

resources:
- name: get-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
  properties:
    resource: {{ project }}
  metadata:
    runtimePolicy:
    - 'UPDATE_ALWAYS'
- name: patch-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
  properties:
    resource: {{ project }}
    policy: $(ref.get-iam-policy)
    gcpIamPolicyPatch:
      add:
      - role: roles/bigquery.dataEditor
        members:
        - serviceAccount: <service account>
Gabriel Wu
  • 1,938
  • 18
  • 30
0

According to Google, the preferred way is to NOT use actions. Instead use type providers that introduce state within deployment manager. For a full list of available types, use the following command:

gcloud beta deployment-manager types list --project gcp-types

The example that Hil Liao uses is the correct one for setting the bindings.

Cloudkollektiv
  • 11,852
  • 3
  • 44
  • 71