bumpy-bear-61087
11/04/2021, 9:59 AMcontainerDefaultSA, err := serviceaccount.NewAccount(p.ctx, fmt.Sprintf("gke-%s-default-sa", name), &serviceaccount.AccountArgs{
AccountId: pulumi.String(fmt.Sprintf("%sgke%sdefaultsa", p.args.ProjectId, name)),
Description: nil,
Disabled: pulumi.Bool(false),
DisplayName: pulumi.String("GKE default node SA"),
Project: pulumi.String(p.args.ProjectId),
})
if err != nil {
return nil, errors.Wrap(err, "could not create new default GKE SA")
}
containerDefaultSA.Email.ApplyT(func(email string) error {
kmsIAM, err := organizations.LookupIAMPolicy(p.ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{{
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
Members: []string{
fmt.Sprintf("serviceAccount:%s", email),
}},
},
}, nil); if err != nil {
return errors.Wrap(err, "could not get IAM policy")
}
_, err = serviceaccount.NewIAMPolicy(p.ctx, fmt.Sprintf("gke-%s-kms-iam", name), &serviceaccount.IAMPolicyArgs{
ServiceAccountId: pulumi.String(fmt.Sprintf(
"projects/%s/serviceAccounts/%s", p.args.ProjectId,
strings.ReplaceAll(email, "container-engine-robot.", p.args.ProjectId + "."),
)),
PolicyData: pulumi.String(kmsIAM.PolicyData),
})
if err != nil {
return errors.Wrap(err, "could not create default IAM SA")
}
return nil
})
limited-rainbow-51650
11/04/2021, 10:14 AMpackage main
import (
"<http://github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/kms|github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/kms>"
"<http://github.com/pulumi/pulumi/sdk/v3/go/pulumi|github.com/pulumi/pulumi/sdk/v3/go/pulumi>"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := kms.NewCryptoKeyIAMBinding(ctx, "cryptoKey", &kms.CryptoKeyIAMBindingArgs{
CryptoKeyId: pulumi.Any(google_kms_crypto_key.Key.Id),
Role: pulumi.String("roles/cloudkms.cryptoKeyEncrypter"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
Source: https://www.pulumi.com/registry/packages/gcp/api-docs/kms/cryptokeyiammember/Members
should point to the email of your service account id.bumpy-bear-61087
11/04/2021, 10:15 AMlimited-rainbow-51650
11/04/2021, 10:16 AMuser:<userEmail>
, you should have serviceAccount:<saEmail>