Skip to content

googleIamPolicy

Generates an IAM policy document that may be referenced by and applied to other Google Cloud Platform IAM resources, such as the googleProjectIamPolicy resource.

Note: Please review the documentation of the resource that you will be using the datasource with. Some resources such as googleProjectIamPolicy and others have limitations in their API methods which are noted on their respective page.

data "google_iam_policy" "admin" {
  binding {
    role = "roles/compute.instanceAdmin"

    members = [
      "serviceAccount:your-custom-sa@your-project.iam.gserviceaccount.com",
    ]
  }

  binding {
    role = "roles/storage.objectViewer"

    members = [
      "user:alice@gmail.com",
    ]
  }

  audit_config {
    service = "cloudkms.googleapis.com"
    audit_log_configs {
      log_type = "DATA_READ",
      exempted_members = ["user:you@domain.com"]
    }

    audit_log_configs {
      log_type = "DATA_WRITE",
    }

    audit_log_configs {
      log_type = "ADMIN_READ",
    }
  }
}

This data source is used to define IAM policies to apply to other resources. Currently, defining a policy through a datasource and referencing that policy from another resource is the only way to apply an IAM policy to a resource.

Argument Reference

The following arguments are supported:

  • auditConfig (Optional) - A nested configuration block that defines logging additional configuration for your project. This field is only supported on googleProjectIamPolicy, googleFolderIamPolicy and googleOrganizationIamPolicy.

    • service (Required) Defines a service that will be enabled for audit logging. For example, storageGoogleapisCom, cloudsqlGoogleapisCom. allServices is a special value that covers all services.
    • auditLogConfigs (Required) A nested block that defines the operations you'd like to log.
    • logType (Required) Defines the logging level. dataRead, dataWrite and adminRead capture different types of events. See the audit configuration documentation for more details.
    • exemptedMembers (Optional) Specifies the identities that are exempt from these types of logging operations. Follows the same format of the members array for binding.

  • binding (Required) - A nested configuration block (described below) defining a binding to be included in the policy document. Multiple binding arguments are supported.

Each document configuration must have one or more binding blocks, which each accept the following arguments:

  • role (Required) - The role/permission that will be granted to the members. See the IAM Roles documentation for a complete list of roles. Note that custom roles must be of the format [projects|organizations]/{parentName}/roles/{roleName}.

  • members (Required) - An array of identities that will be granted the privilege in the role. For more details on format and restrictions see https://cloud.google.com/billing/reference/rest/v1/Policy#Binding Each entry can have one of the following values:

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. Some resources don't support this identity.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. Some resources don't support this identity.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

  • condition - (Optional) An IAM Condition for a given binding. Structure is documented below.

The condition block supports:

  • expression - (Required) Textual representation of an expression in Common Expression Language syntax.

  • title - (Required) A title for the expression, i.e. a short string describing its purpose.

  • description - (Optional) An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

Attributes Reference

The following attribute is exported:

  • policyData - The above bindings serialized in a format suitable for referencing from a resource that supports IAM.