https://pulumi.com logo
#google-cloud
Title
# google-cloud
l

limited-farmer-68874

12/11/2023, 1:14 AM
I can't for the life of me get
cloudrunv2.JobIamBinding
to work ... I've been getting this erro:
Copy code
* Error retrieving IAM policy for cloudrunv2 job "projects/catalist-test-01/locations/us-central1-a/jobs/insight-generation": googleapi: Error 501: Operation is not implemented, or supported, or enabled.
And it's driving me quite nutty. I've tried different ways to approach this, but I could use some help...
Copy code
invoker_policy = cloudrunv2.JobIamBinding(
            "trigger-binding",
            name=service_name,
            role="roles/run.invoker",
            members=[
                pulumi.Output.concat(
                    "serviceAccount:",
                    sa.service_accounts["service-account"].email,
                ),
            ],
        )
e.g.
same thing happens for JobIAmMembers
m

miniature-computer-95401

12/11/2023, 7:17 PM
Hey @limited-farmer-68874, I ran into a similar problem making the cloudfunctionv2 invokable without authentication. My problem was that GCP internally implements cloud functions gen2 with a cloud run service with the same name. I had to apply IAM policies to the underlying cloud run service to get it to work.
E.g.,
Copy code
my_function = gcp.cloudfunctionsv2.Function(
    "my_function",
    ...
)

# This has no effect, or results in an operation not permitted depending on whether you use role "roles/cloudfunctions.invoker" or "roles/run.invoker"
my_function_invoker = gcp.cloudfunctionsv2.FunctionIamMember(
    "my_function_invoker",
    project=my_function.project,
    location=my_function.location,
    cloud_function=my_function.name,
    role="roles/cloudfunctions.invoker",
    member="allUsers",
)

# The next two statements have exactly the effect that I desire by setting a policy on the underlying cloud run service
my_iam_policy = gcp.organizations.get_iam_policy(
    bindings=[
        gcp.organizations.GetIAMPolicyBindingArgs(
            role="roles/run.invoker",
            members=["allUsers"],
        )
    ]
)

my_iam_policy = gcp.cloudrun.IamPolicy(
    "no-auth-IAM-policy",
    location=my_function.location,
    project=my_function.project,
    service=my_function.name,
    policy_data=my_iam_policy.policy_data
)
l

limited-farmer-68874

12/11/2023, 9:16 PM
Some of the underlying APIs are a little finnicky, eh? Turned out my problem was I needed to specify
location
WOOPS 😂
thanks for the info tho, good to know when I migrate to cloudfunctions v2
4 Views