可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试):

问题:

I am using to update a project with IAM policies. in GCP deployment manager's templates, they are using python Jinja file, but I would like to add IAM policy (assign a user/service account some role). Can someone modify the Jinja/ config file and pinpoint how I can modify?

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/examples/v2/project_creation/config.yaml

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/examples/v2/project_creation/project.py

回答1:

Here's a jinja snippet that creates a new service account and adds it as an owner to an existing project. This requires assigning deployment manager the proper access to manage IAM for the project.

{% set deployment = env['deployment'] %}
{% set project = env['project'] %}

resources:
- name: {{ deployment }}-svc-account
  type: iam.v1.serviceAccount
  properties:
    accountId: {{ deployment }}-svc-account
    displayName: {{ deployment }}-svc-account

- name: get-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
  properties:
    resource: {{ project }}
  metadata:
    runtimePolicy:
    - 'UPDATE_ALWAYS'

- name: patch-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
  properties:
    resource: {{ project }}
    policy: $(ref.get-iam-policy)
    gcpIamPolicyPatch:
      add:
      - role: roles/owner
        members:
        - serviceAccount:$(ref.{{ deployment }}-svc-account.email)

回答2:

Please follow Adam Ocsvari's example to assign IAM policy. The old method was to get all the IAM binding policies, add a few role -> members bindings, then set all the bindings. He's providing a new method using 'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding'. I used one of the links he provided to find the python template that assigned IAM policy bindings. The code there has a nested loop. I only needed to create a single service account and assign 1 binding:

service-accounts.py

def GenerateConfig(context):
    project_id = context.env['project']
    service_account = context.properties['service-account']

    resources = [
        {
            'name': service_account,
            'type': 'iam.v1.serviceAccount',
            'properties': {
                'accountId': service_account,
                'displayName': service_account,
                'projectId': project_id
            }
        },
        {
            'name': 'bind-iam-policy',
            'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding',
            'properties': {
                'resource': project_id,
                'role': 'roles/dataflow.admin',
                'member': 'serviceAccount:$(ref.' + service_account + '.email)'
            },
            'metadata': {
                'dependsOn': [service_account]
            }
        }
    ]

    return {'resources': resources}

service-accounts.yaml

imports:
  - path: service-accounts.py

resources:
  - name: service-accounts
    type: service-accounts.py
    properties:
      project: [*YOUR_PROJECT_ID*]
      service-account: k8s-service-account

this example creates a k8s-service-account and assigns Dataflow admin role to it. Make sure you Grant Deployment Manager permission to set IAM policies before you start.

回答3:

Please avoid using these solutions:

gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy

It can cause concurrent IAM policy update errors. The Deployment Manager team is providing a new type binding this 2 actions together:

  'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding',

Check out the following implementations as part of the Cloud Foundation Toolkit provided by Google Cloud:

Cloud Foundation Toolkit NEW repo - IAM binding

Cloud Foundation Toolkit OLD repo - IAM binding

Cloud Foundation Toolkit NEW repo - Project Creation Factory

回答4:

You need to make changes to the below part of the config.yaml file and add the users or service accounts according to your need under the members line.

 iam-policy:
      bindings:
      - role: roles/owner
        members:
        - serviceAccount:98765432111@cloudservices.gserviceaccount.com
        - serviceAccount:98765432100@cloudservices.gserviceaccount.com
      - role: roles/viewer
        members:
        - user:iamtester@deployment-manager.net

For example: You can add -user:foo@bar.com under members tab in proper section to make it owner or viewer of the project.

回答5:

My code to add permissions to a service account.

{% set deployment = env['deployment'] %}
{% set project = env['project'] %}

resources:
- name: get-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
  properties:
    resource: {{ project }}
  metadata:
    runtimePolicy:
    - 'UPDATE_ALWAYS'
- name: patch-iam-policy
  action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
  properties:
    resource: {{ project }}
    policy: $(ref.get-iam-policy)
    gcpIamPolicyPatch:
      add:
      - role: roles/bigquery.dataEditor
        members:
        - serviceAccount: <service account>