-2

I want to set permission for service account sa-email.com on bucket bucket_A.

How can I configure as below with terraform?

  1. sa-email.com can create file in bucket_A
  2. sa-email.com can not delete file in bucket_A

UPDATE:
Now in my project, sa-email is Storage Object Admin.

resource "google_project_iam_member" "aaaa" {
    member  = "sa-email.com"
    project = "pid"
    role    = "roles/storage.objectAdmin"
}

I have about 20 bucket in my project.
I only want to change the permission to one bucket.
Do I have to use google_storage_bucket_iam_member to set for 20 buckets?
Is there a way to do just a little update ?

Update2:
My solution
google_project_iam_member with "conditioon"

resource "google_project_iam_member" "aaaa" {
    member  = "sa-email.com"
    project = "pid"
    role    = "roles/storage.objectAdmin"
    condition {
        title      = " bucket can  delete "
        expression = "!resource.name.startsWith(\"projects/_/buckets/bucket_can_not_delete\")"
    }
}


resource "google_project_iam_member" "bbbb" {
    member  = "sa-email.com"
    project = "pid"
    role    = "roles/storage.objectCreator"
    condition {
        title      = " bucket can not delete "
        expression = "resource.name.startsWith(\"projects/_/buckets/bucket_can_not_delete\")"
    }
}
ender1986
  • 95
  • 1
  • 9

1 Answers1

3

You usually have to add an error if you need some help rather than looking for an all done solution.

You need a storage.objects.create permission only, you dont need to specify it cant delete it, if it doesnt have it. Which means the role Storage Object Creator suites your need here, as it is described in the Google documentation:

Allows users to create objects. Does not give permission to view, delete, or replace objects. You'll need to use the following resource:

resource "google_storage_bucket_iam_member" "bucket_A" {
  bucket = "bucket_A"
  role   = "roles/storage.objectCreator"
  member = var.service_accounts
  depends_on = [google_storage_bucket.bucket_A]
}

Where var.service_account is your sa-email.com because it'll probably be environment dependent otehrwise you can just add it as string.

Alex
  • 389
  • 4
  • 21