Closed ramonmedeiros closed 4 years ago
Can you please send here the jinja template you are trying to use including the IAM binding?
I am not sure what do you mean with this role specifically is not supported
.
Do you get an error for this?
accessControl:
gcpIamPolicy:
bindings:
- role: roles/cloudkms.cryptoKeyDecrypter
members:
- "serviceAccount:tarrito-{{ properties['accountIdSuffix'] }}@{{ projectName }}.iam.gserviceaccount.com"
I still believe this should work, however feel free to take a look at the Cloud Foundation Toolkit IAM Member binding template which supports IAM bindings on Project, Folder, Org level.
Was able to do following this snippet:
@ocsig when I say "this role", it's specifically roles/cloudkms.cryptoKeyDecrypter
I created a service account in my yaml:
And I'm trying to add the
roles/cloudkms.cryptoKeyDecrypter
to it. Until now I'm using a workaround to do it, by gcloud cmdline:But, how can I do by DM? I tried using gcp-types, like https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/58b4d5db56081f9a9c0dd595a9ef264e4f6389ae/google/resource-snippets/iam-v1/service_accounts.jinja#L21-L34
But this role specifically is not supported. How can I proceed?