0

Below i am creating a service account and binding 1 role to it. Does anyone know how i bind more than 1 role at a time?

def GenerateConfig(context):
    project_id = context.env['project']
    service_account = context.properties['service-account']

    resources = [
        {
            'name': service_account,
            'type': 'iam.v1.serviceAccount',
            'properties': {
                'accountId': service_account,
                'displayName': service_account,
                'projectId': project_id
            }
        },
        {
            'name': 'bind-iam-policy',
            'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding',
            'properties': {
                'resource': project_id,
                'role': 'roles/bigquery.admin',
                'member': 'serviceAccount:$(ref.' + service_account + '.email)'
            },
            'metadata': {
                'dependsOn': [service_account]
            }
        }
    ]

    return {'resources': resources}
Jorden
  • 19
  • 6
  • Have you checked [this document](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts) where it's shown how to structure the request with the 'projects.setIamPolicy()'? This may be useful for you. – rsalinas Mar 19 '20 at 11:32
  • Hey @rsalinas thanks for your reply. Yes i have seen this documentation and this was a last resort as I am looking to automate this process of creating the service account and assigning multiple roles. With the link you sent I can add additional roles once the service account is created but that means running 1 command to create the service account then another to assign the roles. Ideally id like to just run 1 command to create the service account + whatever roles i need (looking to assign 7 at once) – Jorden Mar 19 '20 at 11:43
  • There is no method or anything to create the account and assign the roles in the same sentence. I think you are better of creating the account and then assigning the roles with the `projects.setIamPolicy()` as this would be only 2 calls and would be easier to program – rsalinas Mar 19 '20 at 12:49

1 Answers1

1

You will need to use setIAMPolicy. Below is an example, although it is created via Jinja templates. Examples below does not only create serviceaccounts and assign policy but it also generates service account keys

templates-bundle.yaml

imports:
- path: serviceaccounts-template.jinja

resources:
- name: serviceaccounts
  type: serviceaccounts-template.jinja
  properties:
    getIAMPolicy: get-iam-policy
    setIAMPolicy: set-iam-policy
    projectName: lottery-conference-staging
    serviceAccountKeys:  # Service Accounts where keys will be downloaded for access purposes
      - name: storage-buckets-backend-sa
      - name: cloud-build-deploy-sa
    iamMethod: add # replace to "remove" if in case you want to delete the added members using this deployment manager template
    identities: # Check roles at https://cloud.google.com/iam/docs/understanding-roles
      - role: roles/viewer
        member_type: group  # can be "user" or "serviceAccount"
        members: [abc@example.com]
      - role: roles/storage.admin
        member_type: serviceAccount
        members: [$(ref.storage-buckets-backend-sa.email), $(ref.cloud-build-deploy-sa.email)]
      - role: roles/storage.objectAdmin
        member_type: serviceAccount
        members: [$(ref.storage-buckets-backend-sa.email), $(ref.cloud-build-deploy-sa.email)]

serviceaccounts-template.jinja

{# Do not forget to add the "Project IAM Admin" role on *@cloudservices.gserviceaccount.com if experienced 403 #}
{% set project = properties["projectName"] %}

resources:
{% for serviceAccount in properties["serviceAccountKeys"] %}
  {% set name = serviceAccount["name"] %}
  - name: {{ name }}
    type: iam.v1.serviceAccount
    properties:
      displayName: {{ name }}
      projectId: {{ project }}
      accountId: {{ name }}
  - name: {{ name }}-keys
    type: iam.v1.serviceAccounts.key
    properties:
      parent: projects/{{ project }}/serviceAccounts/$(ref.{{ name }}.email)
      name: projects/{{ project }}/serviceAccounts/{{ name }}/keys/json
      privateKeyType: TYPE_GOOGLE_CREDENTIALS_FILE
      keyAlgorithm: KEY_ALG_RSA_2048
{% endfor %}
  - name: {{ properties["getIAMPolicy"] }}
    action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
    properties:
      resource: {{ project }}
  - name: {{ properties["setIAMPolicy"] }}
    action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
    properties:
      resource: {{ project }}
      policy: $(ref.get-iam-policy)
      gcpIamPolicyPatch:
        {{ properties["iamMethod"] }}:
        {% for identity in properties["identities"] %}
        - role: {{ identity["role"] }}
          members:
          {% for member in identity["members"]  %}
          - {{ identity["member_type"] }}:{{ member }}
          {% endfor %}
        {% endfor %}
Dean Christian Armada
  • 6,724
  • 9
  • 67
  • 116