I think i m taking this one too far anyone got a snippet for Pulumi Community #golang

I think i'm taking this one too far, anyone got a ...

bumpy-bear-61087

11/04/2021, 9:59 AM

I think i'm taking this one too far, anyone got a snippet for creating an IAM role for a new service account?

Copy code

containerDefaultSA, err := serviceaccount.NewAccount(p.ctx, fmt.Sprintf("gke-%s-default-sa", name), &serviceaccount.AccountArgs{
		AccountId:   pulumi.String(fmt.Sprintf("%sgke%sdefaultsa", p.args.ProjectId, name)),
		Description: nil,
		Disabled:    pulumi.Bool(false),
		DisplayName: pulumi.String("GKE default node SA"),
		Project:     pulumi.String(p.args.ProjectId),
	})
	if err != nil {
		return nil, errors.Wrap(err, "could not create new default GKE SA")
	}

	containerDefaultSA.Email.ApplyT(func(email string) error {
		kmsIAM, err := organizations.LookupIAMPolicy(p.ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{{
				Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
				Members: []string{
					fmt.Sprintf("serviceAccount:%s", email),
				}},
			},
		}, nil); if err != nil {
			return errors.Wrap(err, "could not get IAM policy")
		}

		_, err = serviceaccount.NewIAMPolicy(p.ctx, fmt.Sprintf("gke-%s-kms-iam", name), &serviceaccount.IAMPolicyArgs{
			ServiceAccountId: pulumi.String(fmt.Sprintf(
				"projects/%s/serviceAccounts/%s", p.args.ProjectId,
				strings.ReplaceAll(email, "container-engine-robot.", p.args.ProjectId + "."),
			)),
			PolicyData:       pulumi.String(kmsIAM.PolicyData),
		})
		if err != nil {
			return errors.Wrap(err, "could not create default IAM SA")
		}

		return nil
	})

limited-rainbow-51650

11/04/2021, 10:14 AM

Copy code

package main

import (
	"<http://github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/kms|github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/kms>"
	"<http://github.com/pulumi/pulumi/sdk/v3/go/pulumi|github.com/pulumi/pulumi/sdk/v3/go/pulumi>"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewCryptoKeyIAMBinding(ctx, "cryptoKey", &kms.CryptoKeyIAMBindingArgs{
			CryptoKeyId: pulumi.Any(google_kms_crypto_key.Key.Id),
			Role:        pulumi.String("roles/cloudkms.cryptoKeyEncrypter"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

Source: https://www.pulumi.com/registry/packages/gcp/api-docs/kms/cryptokeyiammember/

limited-rainbow-51650

11/04/2021, 10:15 AM

In your case, the

Members

should point to the email of your service account id.

bumpy-bear-61087

11/04/2021, 10:15 AM

Well that's a -lot- smaller .Thanks again @limited-rainbow-51650!

limited-rainbow-51650

11/04/2021, 10:16 AM

to be fully correct, rather than

user:<userEmail>

, you should have

serviceAccount:<saEmail>

🙌 1

7 Views

Open in Slack

Previous Next