damp-elephant-82829
08/04/2020, 3:01 PMbillowy-army-68599
08/04/2020, 3:06 PMdamp-elephant-82829
08/04/2020, 3:34 PMbillowy-army-68599
08/04/2020, 3:42 PMdamp-elephant-82829
08/04/2020, 3:43 PMgreen-school-95910
08/04/2020, 7:13 PMIAMBinding
or IAMPolicy
directly.
For the safety and sanity of everyone that will use that project (including the future you), unless you have a very strong reason to affect the access of every account to a resource, use IAMMember
damp-elephant-82829
08/05/2020, 6:47 AMgreen-school-95910
08/05/2020, 4:08 PMIAMPolicy
replaces all permissions related to a resource. IAMBinding
is the same thing, just limited to a single role.
For example:
• You want a backup service to upload the final backups to the default bucket of the project ...<http://appspot.com|appspot.com>
• For that the least privileged role is Storage Object Creator
• You define your permissions with an IAMBinding
to the service account that the backup service will use
Seems fine? Well... now you cannot deploy any Cloud Functions anymore, because they require their internal service-[projectNumber]@gcf-admin-robot.iam.gserviceaccount.com
to have the Service Object Creator
role to the default bucket, and the binding removed it.damp-elephant-82829
08/06/2020, 7:36 AMgreen-school-95910
08/06/2020, 12:48 PM