How to assign roles to service account using jinja & YAML file

[ajeshsuseelan]

Hi,

As per below document, I have created Jinja and Yaml file for assigning different roles to service account.

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/google/resource-snippets/cloudresourcemanager-v1/virtualProjectMember.yaml

My code:

test1.yaml

imports:

• path: policies.jinja

resources:

• name: policies type: policies.jinja properties: roles:
  • roles/redis.viewer
  • roles/bigquery.dataEditor
  • roles/datastore.user
  • roles/dataflow.worker serviceAccounts:
  • concurrent-test-1

policies.jinja

resources: {% set resource = properties.get("resource", env["project"]) %} {% set project = properties["projectName"] %} {% set type = resource.split("/", 1)[0] if "/" in resource else "projects" %} {% set apiVersion = "v2" if type == "folders" else "v1" %} {% for role in properties["roles"] %} {% for serviceAccount in properties["serviceAccounts"] %}

• name: {{ type }}-{{ role }}-{{ serviceAccount }} type: gcp-types/cloudresourcemanager-{{ apiVersion }}:virtual.{{ type }}.iamMemberBinding properties: resource: {{ resource }} member: serviceAccount:{{ serviceAccount }}@isolated-project.iam.gserviceaccount.com role: {{ role }} {% endfor %} {% endfor %}

When I tired to execute the below template in deployment manager it's getting failed due to below error:

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1642430647081-5d5c82f49988d-b159f25f-cbfa46a1]: errors:

• code: RESOURCE_ERROR location: /deployments/jinja-stream-dataflow/resources/projects-roles/redis.viewer-concurrent-test-1 message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"One or more users named in the policy do not belong to a permitted customer.","status":"FAILED_PRECONDITION","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"constraints/iam.allowedPolicyMemberDomains","subject":"orgpolicy:projects/nowtv-adload-discovery?configvalue=concurrent-test-1%40isolated-project.iam.gserviceaccount.com","description":"User concurrent-test-1@isolated-project.iam.gserviceaccount.com is not in permitted organization."}]}],"statusMessage":"Bad Request","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/nowtv-adload-discovery:setIamPolicy","httpMethod":"POST"}}'

Please suggest.

[sandyydk]

Facing issue doing the same with conditional access. Can anyone clarify on the same?

[sandyydk]

@ajeshsuseelan It might be that your service is not part of the given organization's conditions? I believe there is some policy blocking or allowing only those users with certain parameters to be allowed access. Maybe this user does not belong or clear those policies.