Hi,
As per below document, I have created Jinja and Yaml file for assigning different roles to service account.
https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/google/resource-snippets/cloudresourcemanager-v1/virtualProjectMember.yaml
My code:
test1.yaml
imports:
resources:
- name: policies
type: policies.jinja
properties:
roles:
- roles/redis.viewer
- roles/bigquery.dataEditor
- roles/datastore.user
- roles/dataflow.worker
serviceAccounts:
- concurrent-test-1
policies.jinja
resources:
{% set resource = properties.get("resource", env["project"]) %}
{% set project = properties["projectName"] %}
{% set type = resource.split("/", 1)[0] if "/" in resource else "projects" %}
{% set apiVersion = "v2" if type == "folders" else "v1" %}
{% for role in properties["roles"] %}
{% for serviceAccount in properties["serviceAccounts"] %}
- name: {{ type }}-{{ role }}-{{ serviceAccount }}
type: gcp-types/cloudresourcemanager-{{ apiVersion }}:virtual.{{ type }}.iamMemberBinding
properties:
resource: {{ resource }}
member: serviceAccount:{{ serviceAccount }}@isolated-project.iam.gserviceaccount.com
role: {{ role }}
{% endfor %}
{% endfor %}
When I tired to execute the below template in deployment manager it's getting failed due to below error:
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1642430647081-5d5c82f49988d-b159f25f-cbfa46a1]: errors:
- code: RESOURCE_ERROR
location: /deployments/jinja-stream-dataflow/resources/projects-roles/redis.viewer-concurrent-test-1
message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"One
or more users named in the policy do not belong to a permitted customer.","status":"FAILED_PRECONDITION","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"constraints/iam.allowedPolicyMemberDomains","subject":"orgpolicy:projects/nowtv-adload-discovery?configvalue=concurrent-test-1%40isolated-project.iam.gserviceaccount.com","description":"User
concurrent-test-1@isolated-project.iam.gserviceaccount.com is not in permitted
organization."}]}],"statusMessage":"Bad Request","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/nowtv-adload-discovery:setIamPolicy","httpMethod":"POST"}}'
Please suggest.
Hi,
As per below document, I have created Jinja and Yaml file for assigning different roles to service account.
https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/google/resource-snippets/cloudresourcemanager-v1/virtualProjectMember.yaml
My code:
test1.yaml
imports:
resources:
type: policies.jinja
properties:
roles:
serviceAccounts:
policies.jinja
resources:
{% set resource = properties.get("resource", env["project"]) %}
{% set project = properties["projectName"] %}
{% set type = resource.split("/", 1)[0] if "/" in resource else "projects" %}
{% set apiVersion = "v2" if type == "folders" else "v1" %}
{% for role in properties["roles"] %}
{% for serviceAccount in properties["serviceAccounts"] %}
type: gcp-types/cloudresourcemanager-{{ apiVersion }}:virtual.{{ type }}.iamMemberBinding
properties:
resource: {{ resource }}
member: serviceAccount:{{ serviceAccount }}@isolated-project.iam.gserviceaccount.com
role: {{ role }}
{% endfor %}
{% endfor %}
When I tired to execute the below template in deployment manager it's getting failed due to below error:
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1642430647081-5d5c82f49988d-b159f25f-cbfa46a1]: errors:
location: /deployments/jinja-stream-dataflow/resources/projects-roles/redis.viewer-concurrent-test-1
message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"One
or more users named in the policy do not belong to a permitted customer.","status":"FAILED_PRECONDITION","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"constraints/iam.allowedPolicyMemberDomains","subject":"orgpolicy:projects/nowtv-adload-discovery?configvalue=concurrent-test-1%40isolated-project.iam.gserviceaccount.com","description":"User
concurrent-test-1@isolated-project.iam.gserviceaccount.com is not in permitted
organization."}]}],"statusMessage":"Bad Request","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/nowtv-adload-discovery:setIamPolicy","httpMethod":"POST"}}'
Please suggest.