unrelated to my previous question: Is there an opt...
# google-cloud
unrelated to my previous question: Is there an optimal way to create a GCS bucket and set the IAM permissions?
GCP Classic provider: If you're OK setting IAM on everything in the project,
will be authoritative for the entire GCP project and all buckets under it. I think that's best practice. if you mean ACLs on the bucket, which I think is confusingly also called IAM in the cloud console, we have a
, though I think you may need to experiment to see how that interacts with IAMPolicy.
For the native provider, project-wide IAM policy isn't where I would expect to see it, so I'll need to follow up there. For storage buckets, https://www.pulumi.com/registry/packages/google-native/api-docs/storage/v1/bucketiampolicy/ storage.v1.bucketiampolicy and storage.v1.objectiampolicy are the right counterparts.
So, I'd explored this a little with
and my issues were (IIRC) that I had to get the current IAM policy for the bucket, make any changes (ie. append an
entry), then apply that back to the bucket. But, I couldn't figure out how to do this after the bucket was created as these calls simply ran ever time, and would throw an exception if the bucket did not already exist. I tried with some
calls (in attempts to make a dependency graph) but I wasn't sure how to do it, and the only way I made this succeed was to create the bucket with 1 run then add the ACL change in later run
Was the bucket you wanted to define policy for created via Pulumi or another provider? I'm asking to probe why you're needing to append changes and write back.