1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. serviceaccount
  5. IAMPolicy
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

gcp.serviceaccount.IAMPolicy

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

    When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource, such as allowing the members to run operations as or modify the service account. To configure permissions for a service account on other GCP resources, use the google_project_iam set of resources.

    Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

    • gcp.serviceaccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
    • gcp.serviceaccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
    • gcp.serviceaccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

    Note: gcp.serviceaccount.IAMPolicy cannot be used in conjunction with gcp.serviceaccount.IAMBinding and gcp.serviceaccount.IAMMember or they will fight over what your policy should be.

    Note: gcp.serviceaccount.IAMBinding resources can be used in conjunction with gcp.serviceaccount.IAMMember resources only if they do not grant privilege to the same role.

    Example Usage

    Service Account IAM Policy

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const admin = gcp.organizations.getIAMPolicy({
        bindings: [{
            role: "roles/iam.serviceAccountUser",
            members: ["user:jane@example.com"],
        }],
    });
    const sa = new gcp.serviceaccount.Account("sa", {
        accountId: "my-service-account",
        displayName: "A service account that only Jane can interact with",
    });
    const admin_account_iam = new gcp.serviceaccount.IAMPolicy("admin-account-iam", {
        serviceAccountId: sa.name,
        policyData: admin.then(admin => admin.policyData),
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    admin = gcp.organizations.get_iam_policy(bindings=[gcp.organizations.GetIAMPolicyBindingArgs(
        role="roles/iam.serviceAccountUser",
        members=["user:jane@example.com"],
    )])
    sa = gcp.serviceaccount.Account("sa",
        account_id="my-service-account",
        display_name="A service account that only Jane can interact with")
    admin_account_iam = gcp.serviceaccount.IAMPolicy("admin-account-iam",
        service_account_id=sa.name,
        policy_data=admin.policy_data)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
    			Bindings: []organizations.GetIAMPolicyBinding{
    				{
    					Role: "roles/iam.serviceAccountUser",
    					Members: []string{
    						"user:jane@example.com",
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
    			AccountId:   pulumi.String("my-service-account"),
    			DisplayName: pulumi.String("A service account that only Jane can interact with"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = serviceaccount.NewIAMPolicy(ctx, "admin-account-iam", &serviceaccount.IAMPolicyArgs{
    			ServiceAccountId: sa.Name,
    			PolicyData:       pulumi.String(admin.PolicyData),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
        {
            Bindings = new[]
            {
                new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
                {
                    Role = "roles/iam.serviceAccountUser",
                    Members = new[]
                    {
                        "user:jane@example.com",
                    },
                },
            },
        });
    
        var sa = new Gcp.ServiceAccount.Account("sa", new()
        {
            AccountId = "my-service-account",
            DisplayName = "A service account that only Jane can interact with",
        });
    
        var admin_account_iam = new Gcp.ServiceAccount.IAMPolicy("admin-account-iam", new()
        {
            ServiceAccountId = sa.Name,
            PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.organizations.OrganizationsFunctions;
    import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
    import com.pulumi.gcp.serviceaccount.Account;
    import com.pulumi.gcp.serviceaccount.AccountArgs;
    import com.pulumi.gcp.serviceaccount.IAMPolicy;
    import com.pulumi.gcp.serviceaccount.IAMPolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
                .bindings(GetIAMPolicyBindingArgs.builder()
                    .role("roles/iam.serviceAccountUser")
                    .members("user:jane@example.com")
                    .build())
                .build());
    
            var sa = new Account("sa", AccountArgs.builder()        
                .accountId("my-service-account")
                .displayName("A service account that only Jane can interact with")
                .build());
    
            var admin_account_iam = new IAMPolicy("admin-account-iam", IAMPolicyArgs.builder()        
                .serviceAccountId(sa.name())
                .policyData(admin.applyValue(getIAMPolicyResult -> getIAMPolicyResult.policyData()))
                .build());
    
        }
    }
    
    resources:
      sa:
        type: gcp:serviceaccount:Account
        properties:
          accountId: my-service-account
          displayName: A service account that only Jane can interact with
      admin-account-iam:
        type: gcp:serviceaccount:IAMPolicy
        properties:
          serviceAccountId: ${sa.name}
          policyData: ${admin.policyData}
    variables:
      admin:
        fn::invoke:
          Function: gcp:organizations:getIAMPolicy
          Arguments:
            bindings:
              - role: roles/iam.serviceAccountUser
                members:
                  - user:jane@example.com
    

    Service Account IAM Binding

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const sa = new gcp.serviceaccount.Account("sa", {
        accountId: "my-service-account",
        displayName: "A service account that only Jane can use",
    });
    const admin_account_iam = new gcp.serviceaccount.IAMBinding("admin-account-iam", {
        serviceAccountId: sa.name,
        role: "roles/iam.serviceAccountUser",
        members: ["user:jane@example.com"],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    sa = gcp.serviceaccount.Account("sa",
        account_id="my-service-account",
        display_name="A service account that only Jane can use")
    admin_account_iam = gcp.serviceaccount.IAMBinding("admin-account-iam",
        service_account_id=sa.name,
        role="roles/iam.serviceAccountUser",
        members=["user:jane@example.com"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
    			AccountId:   pulumi.String("my-service-account"),
    			DisplayName: pulumi.String("A service account that only Jane can use"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
    			ServiceAccountId: sa.Name,
    			Role:             pulumi.String("roles/iam.serviceAccountUser"),
    			Members: pulumi.StringArray{
    				pulumi.String("user:jane@example.com"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var sa = new Gcp.ServiceAccount.Account("sa", new()
        {
            AccountId = "my-service-account",
            DisplayName = "A service account that only Jane can use",
        });
    
        var admin_account_iam = new Gcp.ServiceAccount.IAMBinding("admin-account-iam", new()
        {
            ServiceAccountId = sa.Name,
            Role = "roles/iam.serviceAccountUser",
            Members = new[]
            {
                "user:jane@example.com",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.serviceaccount.Account;
    import com.pulumi.gcp.serviceaccount.AccountArgs;
    import com.pulumi.gcp.serviceaccount.IAMBinding;
    import com.pulumi.gcp.serviceaccount.IAMBindingArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var sa = new Account("sa", AccountArgs.builder()        
                .accountId("my-service-account")
                .displayName("A service account that only Jane can use")
                .build());
    
            var admin_account_iam = new IAMBinding("admin-account-iam", IAMBindingArgs.builder()        
                .serviceAccountId(sa.name())
                .role("roles/iam.serviceAccountUser")
                .members("user:jane@example.com")
                .build());
    
        }
    }
    
    resources:
      sa:
        type: gcp:serviceaccount:Account
        properties:
          accountId: my-service-account
          displayName: A service account that only Jane can use
      admin-account-iam:
        type: gcp:serviceaccount:IAMBinding
        properties:
          serviceAccountId: ${sa.name}
          role: roles/iam.serviceAccountUser
          members:
            - user:jane@example.com
    

    Service Account IAM Binding With IAM Conditions:

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const sa = new gcp.serviceaccount.Account("sa", {
        accountId: "my-service-account",
        displayName: "A service account that only Jane can use",
    });
    const admin_account_iam = new gcp.serviceaccount.IAMBinding("admin-account-iam", {
        serviceAccountId: sa.name,
        role: "roles/iam.serviceAccountUser",
        members: ["user:jane@example.com"],
        condition: {
            title: "expires_after_2019_12_31",
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    sa = gcp.serviceaccount.Account("sa",
        account_id="my-service-account",
        display_name="A service account that only Jane can use")
    admin_account_iam = gcp.serviceaccount.IAMBinding("admin-account-iam",
        service_account_id=sa.name,
        role="roles/iam.serviceAccountUser",
        members=["user:jane@example.com"],
        condition=gcp.serviceaccount.IAMBindingConditionArgs(
            title="expires_after_2019_12_31",
            description="Expiring at midnight of 2019-12-31",
            expression="request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
    			AccountId:   pulumi.String("my-service-account"),
    			DisplayName: pulumi.String("A service account that only Jane can use"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
    			ServiceAccountId: sa.Name,
    			Role:             pulumi.String("roles/iam.serviceAccountUser"),
    			Members: pulumi.StringArray{
    				pulumi.String("user:jane@example.com"),
    			},
    			Condition: &serviceaccount.IAMBindingConditionArgs{
    				Title:       pulumi.String("expires_after_2019_12_31"),
    				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
    				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var sa = new Gcp.ServiceAccount.Account("sa", new()
        {
            AccountId = "my-service-account",
            DisplayName = "A service account that only Jane can use",
        });
    
        var admin_account_iam = new Gcp.ServiceAccount.IAMBinding("admin-account-iam", new()
        {
            ServiceAccountId = sa.Name,
            Role = "roles/iam.serviceAccountUser",
            Members = new[]
            {
                "user:jane@example.com",
            },
            Condition = new Gcp.ServiceAccount.Inputs.IAMBindingConditionArgs
            {
                Title = "expires_after_2019_12_31",
                Description = "Expiring at midnight of 2019-12-31",
                Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.serviceaccount.Account;
    import com.pulumi.gcp.serviceaccount.AccountArgs;
    import com.pulumi.gcp.serviceaccount.IAMBinding;
    import com.pulumi.gcp.serviceaccount.IAMBindingArgs;
    import com.pulumi.gcp.serviceaccount.inputs.IAMBindingConditionArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var sa = new Account("sa", AccountArgs.builder()        
                .accountId("my-service-account")
                .displayName("A service account that only Jane can use")
                .build());
    
            var admin_account_iam = new IAMBinding("admin-account-iam", IAMBindingArgs.builder()        
                .serviceAccountId(sa.name())
                .role("roles/iam.serviceAccountUser")
                .members("user:jane@example.com")
                .condition(IAMBindingConditionArgs.builder()
                    .title("expires_after_2019_12_31")
                    .description("Expiring at midnight of 2019-12-31")
                    .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
                    .build())
                .build());
    
        }
    }
    
    resources:
      sa:
        type: gcp:serviceaccount:Account
        properties:
          accountId: my-service-account
          displayName: A service account that only Jane can use
      admin-account-iam:
        type: gcp:serviceaccount:IAMBinding
        properties:
          serviceAccountId: ${sa.name}
          role: roles/iam.serviceAccountUser
          members:
            - user:jane@example.com
          condition:
            title: expires_after_2019_12_31
            description: Expiring at midnight of 2019-12-31
            expression: request.time < timestamp("2020-01-01T00:00:00Z")
    

    Service Account IAM Member

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const default = gcp.compute.getDefaultServiceAccount({});
    const sa = new gcp.serviceaccount.Account("sa", {
        accountId: "my-service-account",
        displayName: "A service account that Jane can use",
    });
    const admin_account_iam = new gcp.serviceaccount.IAMMember("admin-account-iam", {
        serviceAccountId: sa.name,
        role: "roles/iam.serviceAccountUser",
        member: "user:jane@example.com",
    });
    // Allow SA service account use the default GCE account
    const gce_default_account_iam = new gcp.serviceaccount.IAMMember("gce-default-account-iam", {
        serviceAccountId: _default.then(_default => _default.name),
        role: "roles/iam.serviceAccountUser",
        member: pulumi.interpolate`serviceAccount:${sa.email}`,
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    default = gcp.compute.get_default_service_account()
    sa = gcp.serviceaccount.Account("sa",
        account_id="my-service-account",
        display_name="A service account that Jane can use")
    admin_account_iam = gcp.serviceaccount.IAMMember("admin-account-iam",
        service_account_id=sa.name,
        role="roles/iam.serviceAccountUser",
        member="user:jane@example.com")
    # Allow SA service account use the default GCE account
    gce_default_account_iam = gcp.serviceaccount.IAMMember("gce-default-account-iam",
        service_account_id=default.name,
        role="roles/iam.serviceAccountUser",
        member=sa.email.apply(lambda email: f"serviceAccount:{email}"))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_default, err := compute.GetDefaultServiceAccount(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
    			AccountId:   pulumi.String("my-service-account"),
    			DisplayName: pulumi.String("A service account that Jane can use"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
    			ServiceAccountId: sa.Name,
    			Role:             pulumi.String("roles/iam.serviceAccountUser"),
    			Member:           pulumi.String("user:jane@example.com"),
    		})
    		if err != nil {
    			return err
    		}
    		// Allow SA service account use the default GCE account
    		_, err = serviceaccount.NewIAMMember(ctx, "gce-default-account-iam", &serviceaccount.IAMMemberArgs{
    			ServiceAccountId: pulumi.String(_default.Name),
    			Role:             pulumi.String("roles/iam.serviceAccountUser"),
    			Member: sa.Email.ApplyT(func(email string) (string, error) {
    				return fmt.Sprintf("serviceAccount:%v", email), nil
    			}).(pulumi.StringOutput),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = Gcp.Compute.GetDefaultServiceAccount.Invoke();
    
        var sa = new Gcp.ServiceAccount.Account("sa", new()
        {
            AccountId = "my-service-account",
            DisplayName = "A service account that Jane can use",
        });
    
        var admin_account_iam = new Gcp.ServiceAccount.IAMMember("admin-account-iam", new()
        {
            ServiceAccountId = sa.Name,
            Role = "roles/iam.serviceAccountUser",
            Member = "user:jane@example.com",
        });
    
        // Allow SA service account use the default GCE account
        var gce_default_account_iam = new Gcp.ServiceAccount.IAMMember("gce-default-account-iam", new()
        {
            ServiceAccountId = @default.Apply(@default => @default.Apply(getDefaultServiceAccountResult => getDefaultServiceAccountResult.Name)),
            Role = "roles/iam.serviceAccountUser",
            Member = sa.Email.Apply(email => $"serviceAccount:{email}"),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.compute.ComputeFunctions;
    import com.pulumi.gcp.compute.inputs.GetDefaultServiceAccountArgs;
    import com.pulumi.gcp.serviceaccount.Account;
    import com.pulumi.gcp.serviceaccount.AccountArgs;
    import com.pulumi.gcp.serviceaccount.IAMMember;
    import com.pulumi.gcp.serviceaccount.IAMMemberArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var default = ComputeFunctions.getDefaultServiceAccount();
    
            var sa = new Account("sa", AccountArgs.builder()        
                .accountId("my-service-account")
                .displayName("A service account that Jane can use")
                .build());
    
            var admin_account_iam = new IAMMember("admin-account-iam", IAMMemberArgs.builder()        
                .serviceAccountId(sa.name())
                .role("roles/iam.serviceAccountUser")
                .member("user:jane@example.com")
                .build());
    
            var gce_default_account_iam = new IAMMember("gce-default-account-iam", IAMMemberArgs.builder()        
                .serviceAccountId(default_.name())
                .role("roles/iam.serviceAccountUser")
                .member(sa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
                .build());
    
        }
    }
    
    resources:
      sa:
        type: gcp:serviceaccount:Account
        properties:
          accountId: my-service-account
          displayName: A service account that Jane can use
      admin-account-iam:
        type: gcp:serviceaccount:IAMMember
        properties:
          serviceAccountId: ${sa.name}
          role: roles/iam.serviceAccountUser
          member: user:jane@example.com
      # Allow SA service account use the default GCE account
      gce-default-account-iam:
        type: gcp:serviceaccount:IAMMember
        properties:
          serviceAccountId: ${default.name}
          role: roles/iam.serviceAccountUser
          member: serviceAccount:${sa.email}
    variables:
      default:
        fn::invoke:
          Function: gcp:compute:getDefaultServiceAccount
          Arguments: {}
    

    Service Account IAM Member With IAM Conditions:

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const sa = new gcp.serviceaccount.Account("sa", {
        accountId: "my-service-account",
        displayName: "A service account that Jane can use",
    });
    const admin_account_iam = new gcp.serviceaccount.IAMMember("admin-account-iam", {
        serviceAccountId: sa.name,
        role: "roles/iam.serviceAccountUser",
        member: "user:jane@example.com",
        condition: {
            title: "expires_after_2019_12_31",
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    sa = gcp.serviceaccount.Account("sa",
        account_id="my-service-account",
        display_name="A service account that Jane can use")
    admin_account_iam = gcp.serviceaccount.IAMMember("admin-account-iam",
        service_account_id=sa.name,
        role="roles/iam.serviceAccountUser",
        member="user:jane@example.com",
        condition=gcp.serviceaccount.IAMMemberConditionArgs(
            title="expires_after_2019_12_31",
            description="Expiring at midnight of 2019-12-31",
            expression="request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
    			AccountId:   pulumi.String("my-service-account"),
    			DisplayName: pulumi.String("A service account that Jane can use"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
    			ServiceAccountId: sa.Name,
    			Role:             pulumi.String("roles/iam.serviceAccountUser"),
    			Member:           pulumi.String("user:jane@example.com"),
    			Condition: &serviceaccount.IAMMemberConditionArgs{
    				Title:       pulumi.String("expires_after_2019_12_31"),
    				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
    				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var sa = new Gcp.ServiceAccount.Account("sa", new()
        {
            AccountId = "my-service-account",
            DisplayName = "A service account that Jane can use",
        });
    
        var admin_account_iam = new Gcp.ServiceAccount.IAMMember("admin-account-iam", new()
        {
            ServiceAccountId = sa.Name,
            Role = "roles/iam.serviceAccountUser",
            Member = "user:jane@example.com",
            Condition = new Gcp.ServiceAccount.Inputs.IAMMemberConditionArgs
            {
                Title = "expires_after_2019_12_31",
                Description = "Expiring at midnight of 2019-12-31",
                Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.serviceaccount.Account;
    import com.pulumi.gcp.serviceaccount.AccountArgs;
    import com.pulumi.gcp.serviceaccount.IAMMember;
    import com.pulumi.gcp.serviceaccount.IAMMemberArgs;
    import com.pulumi.gcp.serviceaccount.inputs.IAMMemberConditionArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var sa = new Account("sa", AccountArgs.builder()        
                .accountId("my-service-account")
                .displayName("A service account that Jane can use")
                .build());
    
            var admin_account_iam = new IAMMember("admin-account-iam", IAMMemberArgs.builder()        
                .serviceAccountId(sa.name())
                .role("roles/iam.serviceAccountUser")
                .member("user:jane@example.com")
                .condition(IAMMemberConditionArgs.builder()
                    .title("expires_after_2019_12_31")
                    .description("Expiring at midnight of 2019-12-31")
                    .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
                    .build())
                .build());
    
        }
    }
    
    resources:
      sa:
        type: gcp:serviceaccount:Account
        properties:
          accountId: my-service-account
          displayName: A service account that Jane can use
      admin-account-iam:
        type: gcp:serviceaccount:IAMMember
        properties:
          serviceAccountId: ${sa.name}
          role: roles/iam.serviceAccountUser
          member: user:jane@example.com
          condition:
            title: expires_after_2019_12_31
            description: Expiring at midnight of 2019-12-31
            expression: request.time < timestamp("2020-01-01T00:00:00Z")
    

    Create IAMPolicy Resource

    new IAMPolicy(name: string, args: IAMPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def IAMPolicy(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  policy_data: Optional[str] = None,
                  service_account_id: Optional[str] = None)
    @overload
    def IAMPolicy(resource_name: str,
                  args: IAMPolicyArgs,
                  opts: Optional[ResourceOptions] = None)
    func NewIAMPolicy(ctx *Context, name string, args IAMPolicyArgs, opts ...ResourceOption) (*IAMPolicy, error)
    public IAMPolicy(string name, IAMPolicyArgs args, CustomResourceOptions? opts = null)
    public IAMPolicy(String name, IAMPolicyArgs args)
    public IAMPolicy(String name, IAMPolicyArgs args, CustomResourceOptions options)
    
    type: gcp:serviceaccount:IAMPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args IAMPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args IAMPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args IAMPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args IAMPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args IAMPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    IAMPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The IAMPolicy resource accepts the following input properties:

    PolicyData string
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    ServiceAccountId string
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    PolicyData string
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    ServiceAccountId string
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    policyData String
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    serviceAccountId String
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    policyData string
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    serviceAccountId string
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    policy_data str
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    service_account_id str
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    policyData String
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    serviceAccountId String
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the IAMPolicy resource produces the following output properties:

    Etag string
    (Computed) The etag of the service account IAM policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    Etag string
    (Computed) The etag of the service account IAM policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    etag String
    (Computed) The etag of the service account IAM policy.
    id String
    The provider-assigned unique ID for this managed resource.
    etag string
    (Computed) The etag of the service account IAM policy.
    id string
    The provider-assigned unique ID for this managed resource.
    etag str
    (Computed) The etag of the service account IAM policy.
    id str
    The provider-assigned unique ID for this managed resource.
    etag String
    (Computed) The etag of the service account IAM policy.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing IAMPolicy Resource

    Get an existing IAMPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: IAMPolicyState, opts?: CustomResourceOptions): IAMPolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            etag: Optional[str] = None,
            policy_data: Optional[str] = None,
            service_account_id: Optional[str] = None) -> IAMPolicy
    func GetIAMPolicy(ctx *Context, name string, id IDInput, state *IAMPolicyState, opts ...ResourceOption) (*IAMPolicy, error)
    public static IAMPolicy Get(string name, Input<string> id, IAMPolicyState? state, CustomResourceOptions? opts = null)
    public static IAMPolicy get(String name, Output<String> id, IAMPolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Etag string
    (Computed) The etag of the service account IAM policy.
    PolicyData string
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    ServiceAccountId string
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    Etag string
    (Computed) The etag of the service account IAM policy.
    PolicyData string
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    ServiceAccountId string
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    etag String
    (Computed) The etag of the service account IAM policy.
    policyData String
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    serviceAccountId String
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    etag string
    (Computed) The etag of the service account IAM policy.
    policyData string
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    serviceAccountId string
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    etag str
    (Computed) The etag of the service account IAM policy.
    policy_data str
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    service_account_id str
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
    etag String
    (Computed) The etag of the service account IAM policy.
    policyData String
    The policy data generated by a gcp.organizations.getIAMPolicy data source.
    serviceAccountId String
    The fully-qualified name of the service account to apply policy to.

    • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:
    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

    Import

    Importing with conditions:

    Here are examples of importing IAM memberships and bindings that include conditions:

    $ pulumi import gcp:serviceaccount/iAMPolicy:IAMPolicy admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser expires_after_2019_12_31"
    
    $ pulumi import gcp:serviceaccount/iAMPolicy:IAMPolicy admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser user:foo@example.com expires_after_2019_12_31"
    

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi