https://pulumi.com logo
Powered by
#google-cloud
Title
# google-cloud
a

ancient-rose-25146

05/11/2022, 12:50 PM
Hi, I have a use case which requires different serviceaccounts for different environments and I need to apply permissions to those service accounts. The issue is that when I apply a binding, it overwrites the bindings for the other environment. Is there a way to only add without overwriting current bindings? For example this is how I am currently doing it.
Copy code
const externalDnsGCPServiceAccount = new gcpNative.iam.v1.ServiceAccount(
  "external-dns-gcp-sa",
  {
    accountId: `external-dns-${environment}`,
  }
);

new gcp.projects.IAMBinding("external-dns-dns-admin-rb", {
  project: project,
  role: "roles/dns.admin",
  members: [
    externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
  ],
});
Here is the result of 
gcloud projects get-iam-policy <project>
after running env=staging then env=prod
Copy code
- members:
  - serviceAccount:external-dns-prod@<projec>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
  role: roles/dns.admin
p

prehistoric-activity-61023

05/11/2022, 1:08 PM
AFAIR, you should use 
IAMMember
in such case
the difference is:
• `gcp.projects.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
• `gcp.projects.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
a

ancient-rose-25146

05/11/2022, 1:11 PM
Thank you
p

prehistoric-activity-61023

05/11/2022, 1:11 PM
try:
Copy code
new gcp.projects.IAMMember("external-dns-dns-admin-rb", {
  project: project,
  role: "roles/dns.admin",
  member: externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
});
keep in mind the note provided in the docs as well:
Note: 
gcp.projects.IAMBinding
resources can be used in conjunction with 
gcp.projects.IAMMember
resources only if they do not grant privilege to the same role.
a

ancient-rose-25146

05/11/2022, 1:20 PM
Yep everything works as intended now. Thanks for the assistance.
🙌 1
Powered by