Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
b
bumpy-bear-61087
11/04/2021, 9:59 AMI think i'm taking this one too far, anyone got a snippet for creating an IAM role for a new service account?
containerDefaultSA, err := serviceaccount.NewAccount(p.ctx, fmt.Sprintf("gke-%s-default-sa", name), &serviceaccount.AccountArgs{
AccountId: pulumi.String(fmt.Sprintf("%sgke%sdefaultsa", p.args.ProjectId, name)),
Description: nil,
Disabled: pulumi.Bool(false),
DisplayName: pulumi.String("GKE default node SA"),
Project: pulumi.String(p.args.ProjectId),
})
if err != nil {
return nil, errors.Wrap(err, "could not create new default GKE SA")
}
containerDefaultSA.Email.ApplyT(func(email string) error {
kmsIAM, err := organizations.LookupIAMPolicy(p.ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{{
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
Members: []string{
fmt.Sprintf("serviceAccount:%s", email),
}},
},
}, nil); if err != nil {
return errors.Wrap(err, "could not get IAM policy")
}
_, err = serviceaccount.NewIAMPolicy(p.ctx, fmt.Sprintf("gke-%s-kms-iam", name), &serviceaccount.IAMPolicyArgs{
ServiceAccountId: pulumi.String(fmt.Sprintf(
"projects/%s/serviceAccounts/%s", p.args.ProjectId,
strings.ReplaceAll(email, "container-engine-robot.", p.args.ProjectId + "."),
)),
PolicyData: pulumi.String(kmsIAM.PolicyData),
})
if err != nil {
return errors.Wrap(err, "could not create default IAM SA")
}
return nil
})l
limited-rainbow-51650
11/04/2021, 10:14 AMpackage main
import (
"<http://github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/kms|github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/kms>"
"<http://github.com/pulumi/pulumi/sdk/v3/go/pulumi|github.com/pulumi/pulumi/sdk/v3/go/pulumi>"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := kms.NewCryptoKeyIAMBinding(ctx, "cryptoKey", &kms.CryptoKeyIAMBindingArgs{
CryptoKeyId: pulumi.Any(google_kms_crypto_key.Key.Id),
Role: pulumi.String("roles/cloudkms.cryptoKeyEncrypter"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}In your case, the
Membersb
bumpy-bear-61087
11/04/2021, 10:15 AMWell that's a -lot- smaller .Thanks again @limited-rainbow-51650!
l
limited-rainbow-51650
11/04/2021, 10:16 AMto be fully correct, rather than
user:<userEmail>serviceAccount:<saEmail>🙌 1