https://pulumi.com logo
#golang
Title
# golang
b

bumpy-bear-61087

11/04/2021, 9:59 AM
I think i'm taking this one too far, anyone got a snippet for creating an IAM role for a new service account?
Copy code
containerDefaultSA, err := serviceaccount.NewAccount(p.ctx, fmt.Sprintf("gke-%s-default-sa", name), &serviceaccount.AccountArgs{
		AccountId:   pulumi.String(fmt.Sprintf("%sgke%sdefaultsa", p.args.ProjectId, name)),
		Description: nil,
		Disabled:    pulumi.Bool(false),
		DisplayName: pulumi.String("GKE default node SA"),
		Project:     pulumi.String(p.args.ProjectId),
	})
	if err != nil {
		return nil, errors.Wrap(err, "could not create new default GKE SA")
	}

	containerDefaultSA.Email.ApplyT(func(email string) error {
		kmsIAM, err := organizations.LookupIAMPolicy(p.ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{{
				Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
				Members: []string{
					fmt.Sprintf("serviceAccount:%s", email),
				}},
			},
		}, nil); if err != nil {
			return errors.Wrap(err, "could not get IAM policy")
		}

		_, err = serviceaccount.NewIAMPolicy(p.ctx, fmt.Sprintf("gke-%s-kms-iam", name), &serviceaccount.IAMPolicyArgs{
			ServiceAccountId: pulumi.String(fmt.Sprintf(
				"projects/%s/serviceAccounts/%s", p.args.ProjectId,
				strings.ReplaceAll(email, "container-engine-robot.", p.args.ProjectId + "."),
			)),
			PolicyData:       pulumi.String(kmsIAM.PolicyData),
		})
		if err != nil {
			return errors.Wrap(err, "could not create default IAM SA")
		}

		return nil
	})
l

limited-rainbow-51650

11/04/2021, 10:14 AM
Copy code
package main

import (
	"<http://github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/kms|github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/kms>"
	"<http://github.com/pulumi/pulumi/sdk/v3/go/pulumi|github.com/pulumi/pulumi/sdk/v3/go/pulumi>"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewCryptoKeyIAMBinding(ctx, "cryptoKey", &kms.CryptoKeyIAMBindingArgs{
			CryptoKeyId: pulumi.Any(google_kms_crypto_key.Key.Id),
			Role:        pulumi.String("roles/cloudkms.cryptoKeyEncrypter"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Source: https://www.pulumi.com/registry/packages/gcp/api-docs/kms/cryptokeyiammember/
In your case, the
Members
should point to the email of your service account id.
b

bumpy-bear-61087

11/04/2021, 10:15 AM
Well that's a -lot- smaller .Thanks again @limited-rainbow-51650!
l

limited-rainbow-51650

11/04/2021, 10:16 AM
to be fully correct, rather than
user:<userEmail>
, you should have
serviceAccount:<saEmail>
🙌 1
4 Views