Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to assign roles to service account using jinja & YAML file #679

Open
ajeshsuseelan opened this issue Jan 17, 2022 · 2 comments
Open

How to assign roles to service account using jinja & YAML file #679

ajeshsuseelan opened this issue Jan 17, 2022 · 2 comments

Comments

@ajeshsuseelan
Copy link

Hi,

As per below document, I have created Jinja and Yaml file for assigning different roles to service account.

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/google/resource-snippets/cloudresourcemanager-v1/virtualProjectMember.yaml

My code:

test1.yaml

imports:

  • path: policies.jinja

resources:

  • name: policies
    type: policies.jinja
    properties:
    roles:
    • roles/redis.viewer
    • roles/bigquery.dataEditor
    • roles/datastore.user
    • roles/dataflow.worker
      serviceAccounts:
    • concurrent-test-1

policies.jinja

resources:
{% set resource = properties.get("resource", env["project"]) %}
{% set project = properties["projectName"] %}
{% set type = resource.split("/", 1)[0] if "/" in resource else "projects" %}
{% set apiVersion = "v2" if type == "folders" else "v1" %}
{% for role in properties["roles"] %}
{% for serviceAccount in properties["serviceAccounts"] %}

  • name: {{ type }}-{{ role }}-{{ serviceAccount }}
    type: gcp-types/cloudresourcemanager-{{ apiVersion }}:virtual.{{ type }}.iamMemberBinding
    properties:
    resource: {{ resource }}
    member: serviceAccount:{{ serviceAccount }}@isolated-project.iam.gserviceaccount.com
    role: {{ role }}
    {% endfor %}
    {% endfor %}

When I tired to execute the below template in deployment manager it's getting failed due to below error:

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1642430647081-5d5c82f49988d-b159f25f-cbfa46a1]: errors:

  • code: RESOURCE_ERROR
    location: /deployments/jinja-stream-dataflow/resources/projects-roles/redis.viewer-concurrent-test-1
    message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"One
    or more users named in the policy do not belong to a permitted customer.","status":"FAILED_PRECONDITION","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"constraints/iam.allowedPolicyMemberDomains","subject":"orgpolicy:projects/nowtv-adload-discovery?configvalue=concurrent-test-1%40isolated-project.iam.gserviceaccount.com","description":"User
    [email protected] is not in permitted
    organization."}]}],"statusMessage":"Bad Request","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/nowtv-adload-discovery:setIamPolicy","httpMethod":"POST"}}'

Please suggest.
@sandyydk
Copy link

sandyydk commented May 6, 2022

Facing issue doing the same with conditional access. Can anyone clarify on the same?

@sandyydk
Copy link

sandyydk commented May 6, 2022

@ajeshsuseelan It might be that your service is not part of the given organization's conditions? I believe there is some policy blocking or allowing only those users with certain parameters to be allowed access. Maybe this user does not belong or clear those policies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sandyydk @ajeshsuseelan