Skip to content

Instantly share code, notes, and snippets.

@seeker815

seeker815/sa.ts

Last active February 2, 2023 06:44
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
service account gap
Raw
sa.ts
const saApiAdmin = new gcp.serviceaccount.Account(`sa-apiadmin-${projectEnv}`, {
accountId: `sa-apiadmin-${projectEnv}`,
displayName: `A service account used for bucket access for API`,
});
const storageRWRole = new gcp.projects.IAMCustomRole(`role-api-storage-rw-${projectEnv}`, {
description: "Bucket/pubsub read write role",
permissions: [
"storage.objects.create",
"storage.objects.list",
"storage.objects.get",
"storage.objects.update",
"storage.multipartUploads.create",
"storage.multipartUploads.listParts",
"storage.multipartUploads.abort",
"resourcemanager.projects.getIamPolicy",
],
roleId: `roleapistoragerw${projectEnv}`,
title: `role-api-storage-rw-${projectEnv}`,
});
const saApiAdminIam = new gcp.serviceaccount.IAMBinding("saapiadmin-account-iam", {
serviceAccountId: saApiAdmin.name,
role: storageRWRole.id,
members: [pulumi.concat("serviceAccount", ":", saApiAdmin.email)],
});
export const saAdmin = saApiAdmin.email;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment