Hi I have a use case which requires different serviceaccount Pulumi Community #google-cloud

Hi, I have a use case which requires different ser...

ancient-rose-25146

05/11/2022, 12:50 PM

Hi, I have a use case which requires different serviceaccounts for different environments and I need to apply permissions to those service accounts. The issue is that when I apply a binding, it overwrites the bindings for the other environment. Is there a way to only add without overwriting current bindings? For example this is how I am currently doing it.

Copy code

const externalDnsGCPServiceAccount = new gcpNative.iam.v1.ServiceAccount(
  "external-dns-gcp-sa",
  {
    accountId: `external-dns-${environment}`,
  }
);

new gcp.projects.IAMBinding("external-dns-dns-admin-rb", {
  project: project,
  role: "roles/dns.admin",
  members: [
    externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
  ],
});

ancient-rose-25146

05/11/2022, 12:54 PM

Here is the result of

gcloud projects get-iam-policy <project>

after running env=staging then env=prod

Copy code

- members:
  - serviceAccount:external-dns-prod@<projec>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
  role: roles/dns.admin

prehistoric-activity-61023

05/11/2022, 1:08 PM

AFAIR, you should use

IAMMember

in such case

prehistoric-activity-61023

05/11/2022, 1:09 PM

the difference is:

• `gcp.projects.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.

• `gcp.projects.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.

prehistoric-activity-61023

05/11/2022, 1:09 PM

https://www.pulumi.com/registry/packages/gcp/api-docs/projects/iammember/

ancient-rose-25146

05/11/2022, 1:11 PM

Thank you

prehistoric-activity-61023

05/11/2022, 1:11 PM

try:

Copy code

new gcp.projects.IAMMember("external-dns-dns-admin-rb", {
  project: project,
  role: "roles/dns.admin",
  member: externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
});

prehistoric-activity-61023

05/11/2022, 1:12 PM

keep in mind the note provided in the docs as well:

Note:
gcp.projects.IAMBinding
resources can be used in conjunction with
gcp.projects.IAMMember
resources only if they do not grant privilege to the same role.

ancient-rose-25146

05/11/2022, 1:20 PM

Yep everything works as intended now. Thanks for the assistance.

🙌 1

Open in Slack

Previous Next