Google Cloud Deployment Manager: How to set up IAM when creating bucket

Question

I have created a bucket with Google Cloud Deployment Manager ( see below ) but the permissions part is ignored and I could not find any example of setting IAM on while using Google Cloud Deployment Manager. Can you help?

    resources:
    - name: {{ env["name"] }}
      type: storage.v1.bucket
      properties:
        kind: storage#bucket
        location: eu
        storageClass: MULTI_REGIONAL
        iam-policy:
          bindings:
          - role: roles/storage.objectViewer
            members:
            - allUsers

perfectfromnowon · Accepted Answer · 2018-06-03 18:21:14Z

You can now decorate deployment manager objects with IAM bindings. Something like this should work:

- name: <BUCKETNAME>
  type: storage.v1.bucket
  properties:
    storageClass: REGIONAL
    location: us-west1
  accessControl:
    gcpIamPolicy:
      bindings:
      - role: roles/storage.objectViewer
        members:
        - "serviceAccount:<YOURSERVICEACCOUNT>"
      - role: roles/storage.legacyBucketOwner
        members:
        - "projectEditor:<YOURPROJECT>"
        - "projectOwner:<YOURPROJECT>"
      - role: roles/storage.legacyBucketReader
        members:
        - "projectViewer:<YOURPROJECT>"

See https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources for more information. Please note that IAM bindings are related but different from a bucket ACL and/or object ACLs. See https://cloud.google.com/storage/docs/access-control/ for more information on access control for GCS.

Also note that you will want to include the FULL set of IAM bindings in the aforementioned example.

This is great! projectOwner and projectEditor are documented in cloud.google.com/storage/docs/access-control/iam#identities, but it is not clear from the docs that they should be explicitly set in gcpIamPolicy. Btw we can use projectOwner:{{ env['project'] }} to parameterize them. — dinvlad, Commented Jun 15, 2018 at 2:28

drbayer · Accepted Answer · 2017-06-29 14:25:39Z

0

There are 2 levels of access you can set - bucket level & object level. Try something like this:

 resources:
    - name: {{ env["name"] }}
      type: storage.v1.bucket
      properties:
        kind: storage#bucket
        location: eu
        storageClass: MULTI_REGIONAL
        acl:
        - role: READER
          entity: allUsers  # maybe allAuthenticatedUsers?
        defaultObjectAcl:
        - entity: allUsers  # maybe allAuthenticatedUsers?
          role: READER

answered Jun 29, 2017 at 14:25

drbayer

1914 bronze badges

I'm pretty sure this uses the ACL model rather than the IAM model for permissions.
– perfectfromnowon
Commented Jun 3, 2018 at 17:52

Add a comment |

Collectives™ on Stack Overflow

Google Cloud Deployment Manager: How to set up IAM when creating bucket

2 Answers 2

Not the answer you're looking for? Browse other questions tagged
deployment
google-cloud-platform
google-cloud-storage
google-deployment-manager
or ask your own question.

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Not the answer you're looking for? Browse other questions tagged deploymentgoogle-cloud-platformgoogle-cloud-storagegoogle-deployment-manager or ask your own question.

Related

Not the answer you're looking for? Browse other questions tagged
deployment
google-cloud-platform
google-cloud-storage
google-deployment-manager
or ask your own question.