Does anyone know if there is an option to create an `IAMMemb Pulumi Community #google-cloud

Does anyone know if there is an option to create a...

bland-address-49163

10/15/2023, 9:40 AM

Does anyone know if there is an option to create an

IAMMember

for a cloud sql database instance (so, something like a

DatabaseIAMMember

, like there is for Buckets with

BucketIAMMember

) ? I'd like to grant

roles/cloudsql.instanceUser

and

roles/cloudsql.client

to a service account for a specific database instance.

dry-keyboard-94795

10/15/2023, 10:58 AM

You need to do this using Project IAM policies and conditions. There's a Terraform example in the docs: https://cloud.google.com/sql/docs/postgres/iam-conditions#terraform The example can be used as reference for how to use the pulumi IAMMember resource: https://www.pulumi.com/registry/packages/gcp/api-docs/projects/iammember/

bland-address-49163

10/15/2023, 4:05 PM

Ah thank you!

glamorous-jelly-86558

10/15/2023, 4:11 PM

If you do end up creating a Pulumi sample for this, could you post it here? My team might be interested in it in a couple of weeks.

bland-address-49163

10/16/2023, 5:18 PM

I haven't tested it yet, but it should look roughly like this:

Copy code

new gcp.projects.IAMBinding("...", {
    members: [...],
    role: "roles/cloudsql.client",
    condition: {
        expression: pulumi.interpolate`resource.name == 'projects/${gcp.config.project}/instances/${instance.name}' && resource.type == 'sqladmin.googleapis.com/Instance'`,
        title: "...",
        description: "...",
    }
});

31 Views

Open in Slack

Previous Next