unrelated to my previous question Is there an optimal way to

Question

unrelated to my previous question Is there an optimal way to create a GCS bucket and set the IAM permissions

orange-policeman-59119 · Answer

GCP Classic provider If you re OK setting IAM on everything in the project `projects IAMPolicy` will be authoritative for the entire GCP project and all buckets under it I think that s best practice if you mean ACLs on the bucket which I think is confusingly also called IAM in the cloud console we have a `storage BucketACL` and `storage ObjectACL` though I think you may need to experiment to see how that interacts with IAMPolicy

orange-policeman-59119 · Answer

For the native provider project wide IAM policy isn t where I would expect to see it so I ll need to follow up there For storage buckets <https www pulumi com registry packages google native api docs storage v1 bucketiampolicy > storage v1 bucketiampolicy and storage v1 objectiampolicy are the right counterparts

lemon-monkey-228 · Answer

So I d explored this a little with `google native` and my issues were IIRC that I had to get the current IAM policy for the bucket make any changes ie append an `allusers` entry then apply that back to the bucket But I couldn t figure out how to do this after the bucket was created as these calls simply ran ever time and would throw an exception if the bucket did not already exist I tried with some ` then` calls in attempts to make a dependency graph but I wasn t sure how to do it and the only way I made this succeed was to create the bucket with 1 run then add the ACL change in later run

orange-policeman-59119 · Answer

Was the bucket you wanted to define policy for created via Pulumi or another provider I m asking to probe why you re needing to append changes and write back