如何创建具有多个角色的服务帐户？谷歌云部署管理器

Question

下面我正在创建一个服务帐户并将 1 个角色绑定到它。有谁知道我如何一次绑定多个角色？

def GenerateConfig(context):
    project_id = context.env['project']
    service_account = context.properties['service-account']

    resources = [
        {
            'name': service_account,
            'type': 'iam.v1.serviceAccount',
            'properties': {
                'accountId': service_account,
                'displayName': service_account,
                'projectId': project_id
            }
        },
        {
            'name': 'bind-iam-policy',
            'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding',
            'properties': {
                'resource': project_id,
                'role': 'roles/bigquery.admin',
                'member': 'serviceAccount:$(ref.' + service_account + '.email)'
            },
            'metadata': {
                'dependsOn': [service_account]
            }
        }
    ]

    return {'resources': resources}

Answer 1

您需要使用setIAMPolicy。下面是一个示例，尽管它是通过 Jinja 模板创建的。下面的示例不仅创建服务帐户和分配策略，还生成服务帐户密钥

templates-bundle.yaml

imports:
- path: serviceaccounts-template.jinja

resources:
- name: serviceaccounts
  type: serviceaccounts-template.jinja
  properties:
    getIAMPolicy: get-iam-policy
    setIAMPolicy: set-iam-policy
    projectName: lottery-conference-staging
    serviceAccountKeys:  # Service Accounts where keys will be downloaded for access purposes
      - name: storage-buckets-backend-sa
      - name: cloud-build-deploy-sa
    iamMethod: add # replace to "remove" if in case you want to delete the added members using this deployment manager template
    identities: # Check roles at https://cloud.google.com/iam/docs/understanding-roles
      - role: roles/viewer
        member_type: group  # can be "user" or "serviceAccount"
        members: [abc@example.com]
      - role: roles/storage.admin
        member_type: serviceAccount
        members: [$(ref.storage-buckets-backend-sa.email), $(ref.cloud-build-deploy-sa.email)]
      - role: roles/storage.objectAdmin
        member_type: serviceAccount
        members: [$(ref.storage-buckets-backend-sa.email), $(ref.cloud-build-deploy-sa.email)]

serviceaccounts-template.jinja

{# Do not forget to add the "Project IAM Admin" role on *@cloudservices.gserviceaccount.com if experienced 403 #}
{% set project = properties["projectName"] %}

resources:
{% for serviceAccount in properties["serviceAccountKeys"] %}
  {% set name = serviceAccount["name"] %}
  - name: {{ name }}
    type: iam.v1.serviceAccount
    properties:
      displayName: {{ name }}
      projectId: {{ project }}
      accountId: {{ name }}
  - name: {{ name }}-keys
    type: iam.v1.serviceAccounts.key
    properties:
      parent: projects/{{ project }}/serviceAccounts/$(ref.{{ name }}.email)
      name: projects/{{ project }}/serviceAccounts/{{ name }}/keys/json
      privateKeyType: TYPE_GOOGLE_CREDENTIALS_FILE
      keyAlgorithm: KEY_ALG_RSA_2048
{% endfor %}
  - name: {{ properties["getIAMPolicy"] }}
    action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy
    properties:
      resource: {{ project }}
  - name: {{ properties["setIAMPolicy"] }}
    action: gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy
    properties:
      resource: {{ project }}
      policy: $(ref.get-iam-policy)
      gcpIamPolicyPatch:
        {{ properties["iamMethod"] }}:
        {% for identity in properties["identities"] %}
        - role: {{ identity["role"] }}
          members:
          {% for member in identity["members"]  %}
          - {{ identity["member_type"] }}:{{ member }}
          {% endfor %}
        {% endfor %}