-
Notifications
You must be signed in to change notification settings - Fork 716
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Patch Storage Bucket IAM Policy #283
Comments
As a quick response: We will look into this template as well. |
Thanks for answering so fast. The template you linked was exactly what I was looking for, thanks for sharing it ! |
@quentin-sensome have you been able to implement the append to a binding from a getIamPolicy? Wisdom of the Ancients I'm trying to add pull permissions to a service account on a GCR bucket, but the only way I've been able to implement this binding is by updating the entire binding list.
I have no idea how to get the |
There is a getIamPolicy > setIamPolicy example here: The Deployment Manager team is working on an update which may solves your problem without using getIamPolicy at all. ETA before the end of the year. I highly recommend you to switch from Jinja to Python. Your marcos will start to be way too complex while limiting you compare to python. |
Thanks for the fast response! Using the same method as with project IAM bindings doesn't seems to be working as stated in the initial issue report. Just in case, I tried but is failing with the Deploying:
Returns:
Just in case may be useful, the templates used are: https://github.com/raelga/bigot.es/blob/master/gcp/templates/storage/bucket.jinja I wanted to add the GKE Nodes SA as viewer to be able to pull images, but as a resource of the cluster deployment. This way, if the cluster deployment is removed, the IAM binding is removed. https://github.com/raelga/bigot.es/blob/master/gcp/deployments/bigotes-pro/bonnie-cluster.yaml#L38 I ended adding the binding manually in the bucket deployment, otherwise is removing any other binding: https://github.com/raelga/bigot.es/blob/master/gcp/deployments/bigotes-pro/bonnie-cluster.yaml#L38 But I would like to add the binding in the cluster deployment, as I'm already doing with the nodes role in: https://github.com/raelga/bigot.es/blob/master/gcp/templates/container/kubernetes-cluster.jinja#L43 Glad to hear that the DM team is working on the issue. About using python, I know it may be more powerful but so far I've been able to do everything with jinja. And to be honest, I find jinja templates prettier and cleaner than appending jsons with python. |
hi, we are facing exactly the same problem, any update from google about that ? |
Apologies for not updating this thread. The product team released a new feature: I keep this issue open for myself to release a tutorial for your issue, while I'm working on it, feel free to try it out yourself. The key is the |
Thanks for the update, looking forward to test it. |
it's related to project iam bindings, not storage iam bindings ? Is there an equivalent for storage ? |
We are working on adding further 'virtual' endpoints for other bindings during Q2. |
Helllo I reached also that particular trouble with And I noticed a behavior difference between setting up by storage console/gsutil or setting up by IAM (via DM or project-wide) : But, if I manually set the bucket policy using gsutil or console, I can actually pull the image and run the pod. When I export the policy with |
@lukeFalsina with some delay we managed to push Our next target is the |
Hi, |
any update on this ? |
@ihachani please use our latest template: https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/tree/master/dm/templates/gcs_bucket @AliGouta gcp-types/storage-v1:virtual.storage.buckets.iamMemberBinding is rolling out to Staging today, we are planning to roll out to production soon, possibly next week. |
Any news about the rollout to PROD? I'm eager to test if it'll solve my issue (https://stackoverflow.com/questions/56759231/gcp-grant-a-service-account-permission-to-write-in-a-gcs-bucket-with-deployment). |
+1, we'd be eager to test |
The feature passed reviews, should be part of this weeks rollout, checking back on Friday.
|
I am happy to announce the We updated the CFT Bucket template as well. |
@ocsig Is there a usage example for the new types? |
CFT IAM member binding template supports storage from now on. Is that what you were looking for? |
This is really helpful! We've used it in one of our templates.
So atm it seems that the only way to update the bucket name is to rename the resource (which works). |
Changing type is not supported, also there are properties which can't be changed via DM or the API, only by deletion and recreation of the resource. By renaming the DM resource, it looks like you deletede the old one and created a new one and thats what DM will do. This can be inconvenient, I am pushing the DM team to support delete+recreate based updates where its possible. |
Hi , i am trying to set iam policy on gcs bucket but with condition , although https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/tree/master/dm/templates/iam_member creating the permission but i want to add condition to allow only specific folder , can any tell how to do it |
Hi, as far as i know, you must do it with bucket acl, not from iam policies.
|
I've tried from bucket IAM permission and restricted the access but it seems i am condition not supoorted yet in deployment manager , |
I am trying to patch a storage bucket's IAM policy using the storage's GCP Type Provider. However the Cloud Storage JSON API answers back with an error 400: Bad Request.
I based my template on an example that updates IAM policies at the project level. The example can be found here: https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/google/resource-snippets/cloudresourcemanager-v1/patch_iam_project.yaml
This is what my template looks like:
When executing the deployment, this is the answer I receive from DM:
As you can see, the
policy
object present in the JSON does not seem to be picked up by DM. I tested theget-bucket-iam-policy
operation by exposing its output and it seems fine to me:I couldn't find any example on how to make this work, and couldn't find documentation on this subject either. The Cloud Storage JSON API doesn't help much, it only suggests to pass a
Policy
entity in therequest
parameter when calling thesetIamPolicy
method.I suspect that DM actually expects the
Policy
entity to be passed in another parameter, but again I couldn't find documentation on this anywhere.Is there any information out there that could help me achieve this ?
Thanks
The text was updated successfully, but these errors were encountered: