https://pulumi.com logo
#google-cloud
Title
# google-cloud
l

lemon-monkey-228

01/26/2022, 1:18 PM
unrelated to my previous question: Is there an optimal way to create a GCS bucket and set the IAM permissions?
o

orange-policeman-59119

01/28/2022, 7:47 PM
GCP Classic provider: If you're OK setting IAM on everything in the project,
projects.IAMPolicy
will be authoritative for the entire GCP project and all buckets under it. I think that's best practice. if you mean ACLs on the bucket, which I think is confusingly also called IAM in the cloud console, we have a
storage.BucketACL
and
storage.ObjectACL
, though I think you may need to experiment to see how that interacts with IAMPolicy.
For the native provider, project-wide IAM policy isn't where I would expect to see it, so I'll need to follow up there. For storage buckets, https://www.pulumi.com/registry/packages/google-native/api-docs/storage/v1/bucketiampolicy/ storage.v1.bucketiampolicy and storage.v1.objectiampolicy are the right counterparts.
l

lemon-monkey-228

01/31/2022, 9:57 AM
So, I'd explored this a little with
google-native
and my issues were (IIRC) that I had to get the current IAM policy for the bucket, make any changes (ie. append an
allusers
entry), then apply that back to the bucket. But, I couldn't figure out how to do this after the bucket was created as these calls simply ran ever time, and would throw an exception if the bucket did not already exist. I tried with some
.then
calls (in attempts to make a dependency graph) but I wasn't sure how to do it, and the only way I made this succeed was to create the bucket with 1 run then add the ACL change in later run
o

orange-policeman-59119

01/31/2022, 5:24 PM
Was the bucket you wanted to define policy for created via Pulumi or another provider? I'm asking to probe why you're needing to append changes and write back.