Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
a
ancient-rose-25146
05/11/2022, 12:50 PMHi, I have a use case which requires different serviceaccounts for different environments and I need to apply permissions to those service accounts. The issue is that when I apply a binding, it overwrites the bindings for the other environment. Is there a way to only add without overwriting current bindings? For example this is how I am currently doing it.
const externalDnsGCPServiceAccount = new gcpNative.iam.v1.ServiceAccount(
"external-dns-gcp-sa",
{
accountId: `external-dns-${environment}`,
}
);
new gcp.projects.IAMBinding("external-dns-dns-admin-rb", {
project: project,
role: "roles/dns.admin",
members: [
externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
],
});Here is the result of
gcloud projects get-iam-policy <project>- members:
- serviceAccount:external-dns-prod@<projec>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
role: roles/dns.adminp
prehistoric-activity-61023
05/11/2022, 1:08 PMAFAIR, you should use
IAMMemberthe difference is:
• `gcp.projects.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
• `gcp.projects.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
a
ancient-rose-25146
05/11/2022, 1:11 PMThank you
p
prehistoric-activity-61023
05/11/2022, 1:11 PMtry:
new gcp.projects.IAMMember("external-dns-dns-admin-rb", {
project: project,
role: "roles/dns.admin",
member: externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
});keep in mind the note provided in the docs as well:
Note:resources can be used in conjunction withgcp.projects.IAMBindingresources only if they do not grant privilege to the same role.gcp.projects.IAMMember
a
ancient-rose-25146
05/11/2022, 1:20 PMYep everything works as intended now. Thanks for the assistance.
🙌 1