search

GoogleCloudPlatform / deploymentmanager-samples

Deployment Manager samples and templates.
Apache License 2.0
935 stars 716 forks source link

Unable to provide conditional access to a service account on a project using DM #684

Open sandyydk opened 2 years ago

sandyydk commented 2 years ago

I have the following yaml :

resources:
- name: bind-iam-policy-secret-accessor
  type: gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding
  properties: 
    resource: myprojectA
    role: roles/secretmanager.secretAccessor
    member: "serviceAccount:sandeep@myproject.iam.gserviceaccount.com"

The above works out but the one below with a conditional access fails : 

resources:
- name: bind-iam-policy-secret-accessor
  type: gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding
  properties: 
    resource: myprojectA
    role: roles/secretmanager.secretAccessor
    member: "serviceAccount:sandeep@myproject.iam.gserviceaccount.com"
    condition: "resource.name.extract('/secrets/{name}').startsWith('sandeep-')"
sandyydk commented 2 years ago

Any idea how to specify a condition and its expression here? Thanks.