sparse-intern-71089
05/11/2022, 12:50 PMancient-rose-25146
05/11/2022, 12:54 PMgcloud projects get-iam-policy <project>
after running env=staging then env=prod
- members:
- serviceAccount:external-dns-prod@<projec>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
role: roles/dns.admin
prehistoric-activity-61023
05/11/2022, 1:08 PMIAMMember
in such caseprehistoric-activity-61023
05/11/2022, 1:09 PM• `gcp.projects.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
• `gcp.projects.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
prehistoric-activity-61023
05/11/2022, 1:09 PMancient-rose-25146
05/11/2022, 1:11 PMprehistoric-activity-61023
05/11/2022, 1:11 PMnew gcp.projects.IAMMember("external-dns-dns-admin-rb", {
project: project,
role: "roles/dns.admin",
member: externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
});
prehistoric-activity-61023
05/11/2022, 1:12 PMNote:resources can be used in conjunction withgcp.projects.IAMBinding
resources only if they do not grant privilege to the same role.gcp.projects.IAMMember
ancient-rose-25146
05/11/2022, 1:20 PM