How to grant a service account this role: roles/cloudkms.cryptoKeyDecrypter

[ramonmedeiros]

I created a service account in my yaml:

- type: iam.v1.serviceAccount
  name: downloaders-sa
  properties:
    accountId: downloaders-sa
    displayName: "downloaders-sa"

And I'm trying to add the roles/cloudkms.cryptoKeyDecrypterto it. Until now I'm using a workaround to do it, by gcloud cmdline:

gcloud projects add-iam-policy-binding ${GOOGLE_CLOUD_PROJECT} \
    --member="serviceAccount:email" \
    --role=roles/cloudkms.cryptoKeyDecrypter

But, how can I do by DM? I tried using gcp-types, like https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/58b4d5db56081f9a9c0dd595a9ef264e4f6389ae/google/resource-snippets/iam-v1/service_accounts.jinja#L21-L34

But this role specifically is not supported. How can I proceed?

[ocsig]

Can you please send here the jinja template you are trying to use including the IAM binding? I am not sure what do you mean with this role specifically is not supported.

Do you get an error for this?

   accessControl: 
     gcpIamPolicy: 
       bindings: 
       - role: roles/cloudkms.cryptoKeyDecrypter
         members: 
         - "serviceAccount:tarrito-{{ properties['accountIdSuffix'] }}@{{ projectName }}.iam.gserviceaccount.com" 

I still believe this should work, however feel free to take a look at the Cloud Foundation Toolkit IAM Member binding template which supports IAM bindings on Project, Folder, Org level.

[ramonmedeiros]

Was able to do following this snippet:

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/google/resource-snippets/cloudresourcemanager-v1/patch_iam_project.yaml

[ramonmedeiros]

@ocsig when I say "this role", it's specifically roles/cloudkms.cryptoKeyDecrypter