https://pulumi.com logo
Powered by
#google-cloud
Title
# google-cloud
b

bland-address-49163

10/15/2023, 9:40 AM
Does anyone know if there is an option to create an 
IAMMember
for a cloud sql database instance (so, something like a 
DatabaseIAMMember
, like there is for Buckets with 
BucketIAMMember
) ? I'd like to grant 
roles/cloudsql.instanceUser
and 
roles/cloudsql.client
to a service account for a specific database instance.
d

dry-keyboard-94795

10/15/2023, 10:58 AM
You need to do this using Project IAM policies and conditions. There's a Terraform example in the docs: https://cloud.google.com/sql/docs/postgres/iam-conditions#terraform The example can be used as reference for how to use the pulumi IAMMember resource: https://www.pulumi.com/registry/packages/gcp/api-docs/projects/iammember/
b

bland-address-49163

10/15/2023, 4:05 PM
Ah thank you!
g

glamorous-jelly-86558

10/15/2023, 4:11 PM
If you do end up creating a Pulumi sample for this, could you post it here? My team might be interested in it in a couple of weeks.
b

bland-address-49163

10/16/2023, 5:18 PM
I haven't tested it yet, but it should look roughly like this:
Copy code
new gcp.projects.IAMBinding("...", {
    members: [...],
    role: "roles/cloudsql.client",
    condition: {
        expression: pulumi.interpolate`resource.name == 'projects/${gcp.config.project}/instances/${instance.name}' && resource.type == 'sqladmin.googleapis.com/Instance'`,
        title: "...",
        description: "...",
    }
});
6 Views
Powered by