ancient-rose-25146
05/11/2022, 12:50 PMconst externalDnsGCPServiceAccount = new gcpNative.iam.v1.ServiceAccount(
"external-dns-gcp-sa",
{
accountId: `external-dns-${environment}`,
}
);
new gcp.projects.IAMBinding("external-dns-dns-admin-rb", {
project: project,
role: "roles/dns.admin",
members: [
externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
],
});
gcloud projects get-iam-policy <project>
after running env=staging then env=prod
- members:
- serviceAccount:external-dns-prod@<projec>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
role: roles/dns.admin
prehistoric-activity-61023
05/11/2022, 1:08 PMIAMMember
in such case• `gcp.projects.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
• `gcp.projects.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
ancient-rose-25146
05/11/2022, 1:11 PMprehistoric-activity-61023
05/11/2022, 1:11 PMnew gcp.projects.IAMMember("external-dns-dns-admin-rb", {
project: project,
role: "roles/dns.admin",
member: externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
});
Note:resources can be used in conjunction withgcp.projects.IAMBinding
resources only if they do not grant privilege to the same role.gcp.projects.IAMMember
ancient-rose-25146
05/11/2022, 1:20 PM