1

I'm using deployment manager to set the IAM policy of an existing pub/sub topic- I don't want to acquire it and I cannot create it with deployment manager (because it exists). So I want to set a policy on an existing resource

I can do this with buckets but the docs are confusing and I can't find the right methods for buckets

I want to do this (resource level bindings) for a topic instead of bucket:

resources:
  - name: mybucket
    action: gcp-types/storage-v1:storage.buckets.setIamPolicy
    properties:
      bucket: mybucket
      bindings:
        - role: roles/storage.admin
          members:
          - "serviceAccount:[email protected]"

I can only find gcp-types/pubsub-v1:projects.topics.setIamPolicy which seems like its at the project level? What is the right api for setting an IAM policy on a specific topic?

The google APIs seem inconsistent here- are these too methods equivalent? Docs are confusing: https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy https://cloud.google.com/pubsub/docs/reference/rest/v1/projects.topics/setIamPolicy

I attempted this but getting an error:

  - name: mytopic
    action: gcp-types/pubsub-v1:pubsub.projects.topics.setIamPolicy
    properties:
      resource: mytopic
      bindings:
        - role: roles/pubsub.admin
          members:
          - "serviceAccount:[email protected]"

Getting error:

message: '{"ResourceType":"gcp-types/pubsub-v1:pubsub.projects.topics.setIamPolicy","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"Invalid
    JSON payload received. Unknown name \"bindings\": Cannot find field.","status":"INVALID_ARGUMENT","details":[{"@type":"type.googleapis.com/google.rpc.BadRequest","fieldViolations":[{"description":"Invalid
    JSON payload received. Unknown name \"bindings\": Cannot find field."}]}],"statusMessage":"Bad
    Request","requestPath":"https://pubsub.googleapis.com/v1/projects/myproject/topics/mytopic:setIamPolicy","httpMethod":"POST"}}

When I tried projects.topics.setIamPolicy I got:

- code: COLLECTION_NOT_FOUND
  message: Collection 'projects.topics.setIamPolicy' not found in discovery doc 'https://pubsub.googleapis.com/$discovery/rest?version=v1'
7
  • 1
    I found this nugget ... github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/… which says "Actions are a currently undocumented feature for calling arbitrary APIs.". Well ... huh!!!
    – Kolban
    Commented Oct 23, 2019 at 17:29
  • thats funny its not documented. I gave up on their docs a little while ago and started looking for examples in the wild- i never realized that feature was totally undocumented
    – red888
    Commented Oct 23, 2019 at 17:31
  • On a philosophical standpoint ... I'm thinking that we may have an impass on the notion of creating or updating a resource that already exists and not having it "owned" by Deployment Manager. What is the thinking on why having the resource owned by Deployment Manager is a bad thing? I'm also thinking that if we don't want it owned by Deployment Manager we can run DM twice ... once to update the resources and once to delete your resources using the ABANDON policy for deletions.
    – Kolban
    Commented Oct 23, 2019 at 17:33
  • 1
    if you could ABANDON at the resource level that would solve my issues. The problem is there are resources localized to this stack and shared resources this stack/deployment should never own the lifecycle of. So the deployment can be freely created and destroyed without destroying shared resources. having a separate deployment specifically for modifying existing resources and using ABANDON there would work but I dont love that- id like this to be a single template/deployment. also, my needing resource level policies stems from having a poor project structure I currently cant change
    – red888
    Commented Oct 23, 2019 at 18:11
  • Could you provide me additional information concerning the missing information in our documentation? an example would be nice, I could then file a documentation request to have it added.
    – dany L
    Commented Oct 23, 2019 at 22:45

1 Answer 1

Reset to default
1

The pubsub-v1:projects.topics.setIamPolicy is at the topic level and the https://iam.googleapis.com/v1/{resource=projects/*/serviceAccounts/*}:setIamPolicy is to set the a Pub/Sub or other resources at the project level.

You get those error because you are giving Pub/Sub admin and this is a role at the project level. The example roles you can provide are:

  • roles/viewer
  • roles/editor
  • roles/owner

I understand that you are trying to to deploy a topic having a IAM policy that allows only one service account to a topic. You have to use a yaml file and a python file if that is the environment you are using.

In the python file you will set the IAM for the topic with the method "set_iam_policy" which takes 2 arguments, the policy and the topic path:

client = pubsub_v1.PublisherClient()
topic_path = client.topic_path(project, topic_name)

policy = client.get_iam_policy(topic_path)

# Add all users as viewers.
policy.bindings.add(
    role='roles/pubsub.viewer',
    members=['allUsers'])

# Add a group as a publisher.
policy.bindings.add(
    role='roles/pubsub.publisher',
    members=['group:[email protected]'])

# Set the policy
policy = client.set_iam_policy(topic_path, policy)

print('IAM policy for topic {} set: {}'.format(
    topic_name, policy))

For deployment manager:

imports:
  - path: templates/pubsub/pubsub.py
    name: pubsub.py

resources:
  - name: test-pubsub
    type: pubsub.py
    properties:
      topic: test-topic
      accessControl:
        - role: roles/pubsub.subscriber
          members:
            - user:[email protected]
      subscriptions:
        - name: first-subscription
          accessControl:
            - role: roles/pubsub.subscriber
              members:
               - user:[email protected]
        - name: second-subscription
          ackDeadlineSeconds: 15
3
  • 1
    would you be able to provide a working example with a deployment manager action? Is it action: gcp-types/pubsub-v1:pubsub.projects.topics.setIamPolicy or action: gcp-types/pubsub-v1:projects.topics.setIamPolicy ? Also, is "resource level policy" the right name for what this is? Is there a good high level-ish doc that lays out the difference between project and resource level access control including how the APIs differ there?
    – red888
    Commented Oct 24, 2019 at 14:01
  • if its not possible with a deployment manager action thats fine but I wanted to use that to avoid having to script the APIs. Is it possible with an action?
    – red888
    Commented Oct 29, 2019 at 14:38
  • Using managers actions is not possible at the moment for this
    – Nathan Nasser
    Commented Oct 29, 2019 at 20:58

Not the answer you're looking for? Browse other questions tagged or ask your own question.