Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Patch Storage Bucket IAM Policy
See original GitHub issueI am trying to patch a storage bucket’s IAM policy using the storage’s GCP Type Provider. However the Cloud Storage JSON API answers back with an error 400: Bad Request.
I based my template on an example that updates IAM policies at the project level. The example can be found here: https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/google/resource-snippets/cloudresourcemanager-v1/patch_iam_project.yaml
This is what my template looks like:
"""Patch IAM Policy for a Storage Bucket"""
def GenerateConfig(context):
resources = [{
'name': 'get-bucket-iam-policy',
'action': 'gcp-types/storage-v1:storage.buckets.getIamPolicy',
'metadata': {
'runtimePolicy': ['UPDATE_ALWAYS']
},
'properties': {
'bucket': 'MY_BUCKET'
}
}, {
'name': 'patch-bucket-iam-policy'
'action': 'gcp-types/storage-v1:storage.buckets.setIamPolicy',
'properties': {
'bucket': 'MY_BUCKET',
'policy': '$(ref.get-bucket-iam-policy)',
'gcpIamPolicyPatch': {
'add': [{
'role': 'roles/storage.admin',
'members': [ 'serviceAccount:ROBOT_SERVICE_ACCOUNT' ]
}]
}
}
}]
return {'resources': resources}
When executing the deployment, this is the answer I receive from DM:
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1538660104879-5776738fb3b99-2d8cdc3d-a8609678]: errors:
- code: RESOURCE_ERROR
location: /deployments/MY_DEPLOYMENT/resources/patch-bucket-iam-policy
message: '{
"ResourceType":"gcp-types/storage-v1:storage.buckets.setIamPolicy",
"ResourceErrorCode":"400",
"ResourceErrorMessage":{
"code":400,
"errors":[{
"domain":"global",
"message":"A policy to update must be provided.",
"reason":"required"
}],
"message":"A policy to update must be provided.",
"statusMessage":"Bad Request",
"requestPath":"https://www.googleapis.com/storage/v1/b/MY_BUCKET/iam",
"httpMethod":"PUT"
}
}'
As you can see, the policy object present in the JSON does not seem to be picked up by DM. I tested the get-bucket-iam-policy operation by exposing its output and it seems fine to me:
OUTPUTS VALUE
bucket-iam-policy[resourceId] projects/_/buckets/MY_BUCKET
bucket-iam-policy[kind] storage#policy
bucket-iam-policy[etag] CAE=
bucket-iam-policy[bindings] [
{u'role': u'roles/storage.legacyBucketOwner', u'members': [u'projectEditor:MY_PROJECT', u'projectOwner:MY_PROJECT']},
{u'role': u'roles/storage.legacyBucketReader', u'members': [u'projectViewer:MY_PROJECT']}
]
I couldn’t find any example on how to make this work, and couldn’t find documentation on this subject either. The Cloud Storage JSON API doesn’t help much, it only suggests to pass a Policy entity in the request parameter when calling the setIamPolicy method.
I suspect that DM actually expects the Policy entity to be passed in another parameter, but again I couldn’t find documentation on this anywhere.
Is there any information out there that could help me achieve this ?
Thanks
Issue Analytics
- State:
- Created 5 years ago
- Reactions:2
- Comments:24 (10 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I am happy to announce the
gcp-types/storage-v1:virtual.buckets.iamMemberBindingtype.We updated the CFT Bucket template as well.
@ihachani please use our latest template: https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/tree/master/dm/templates/gcs_bucket
@AliGouta gcp-types/storage-v1:virtual.storage.buckets.iamMemberBinding is rolling out to Staging today, we are planning to roll out to production soon, possibly next week.