I want to write a GCP Deployment Manager resource template that can create a IAM policy binding to a service account as a resource. In particular, I want to configure allowing a member to impersonate a single service account with Deployment Manager.
I know this can be done with GCP console, gcloud SDK or Pulumi.
Maybe I'm missing something, but how can I achieve this with Deployment Manager?
You can use the Deployment Manager to create a IAM policy binding to a Service Account at the Service Account creation.
I test it in my own project using the following jinja file.
resources:
- name: test-name-deploy
type: iam.v1.serviceAccount
properties:
accountId: testing
displayName: testing-sa
accessControl:
gcpIamPolicy:
bindings:
- role: roles/editor
members:
- "user:myuser@gmail.com"
gcloud deployment-manager deployments create mytestdm --template=deploy.jinja
And I received the following result:
NAME TYPE STATE ERRORS INTENT
test-name-deploy iam.v1.serviceAccount COMPLETED []
Take in consideration that you need the API iam.googleapis.com enable.
You can check the following documentation for further information.