Skip to content

How to assign roles to service account using jinja & YAML file #679

New issue
New issue
Open
Open
How to assign roles to service account using jinja & YAML file#679
@ajeshsuseelan

Description

@ajeshsuseelan
ajeshsuseelan
opened on Jan 17, 2022

Hi,

As per below document, I have created Jinja and Yaml file for assigning different roles to service account.

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/google/resource-snippets/cloudresourcemanager-v1/virtualProjectMember.yaml

My code:

test1.yaml

imports:

  • path: policies.jinja

resources:

  • name: policies
    type: policies.jinja
    properties:
    roles:
    • roles/redis.viewer
    • roles/bigquery.dataEditor
    • roles/datastore.user
    • roles/dataflow.worker
      serviceAccounts:
    • concurrent-test-1

policies.jinja

resources:
{% set resource = properties.get("resource", env["project"]) %}
{% set project = properties["projectName"] %}
{% set type = resource.split("/", 1)[0] if "/" in resource else "projects" %}
{% set apiVersion = "v2" if type == "folders" else "v1" %}
{% for role in properties["roles"] %}
{% for serviceAccount in properties["serviceAccounts"] %}

  • name: {{ type }}-{{ role }}-{{ serviceAccount }}
    type: gcp-types/cloudresourcemanager-{{ apiVersion }}:virtual.{{ type }}.iamMemberBinding
    properties:
    resource: {{ resource }}
    member: serviceAccount:{{ serviceAccount }}@isolated-project.iam.gserviceaccount.com
    role: {{ role }}
    {% endfor %}
    {% endfor %}

When I tired to execute the below template in deployment manager it's getting failed due to below error:

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1642430647081-5d5c82f49988d-b159f25f-cbfa46a1]: errors:

  • code: RESOURCE_ERROR
    location: /deployments/jinja-stream-dataflow/resources/projects-roles/redis.viewer-concurrent-test-1
    message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"One
    or more users named in the policy do not belong to a permitted customer.","status":"FAILED_PRECONDITION","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"constraints/iam.allowedPolicyMemberDomains","subject":"orgpolicy:projects/nowtv-adload-discovery?configvalue=concurrent-test-1%40isolated-project.iam.gserviceaccount.com","description":"User
    concurrent-test-1@isolated-project.iam.gserviceaccount.com is not in permitted
    organization."}]}],"statusMessage":"Bad Request","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/nowtv-adload-discovery:setIamPolicy","httpMethod":"POST"}}'

Please suggest.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions