Assigned
Status Update
No update yet.
Comments
ba...@google.com
ka...@google.com
Hello,
Thanks for reaching out to us!
The Product Engineering Team has been made aware of your feature request, and will address it in due course. Though we can't provide an ETA on feature requests nor guarantee their implementation, rest assured that your feedback is always taken very seriously, as it allows us to improve our products. Thank you for your trust and continued support to improve Google Cloud Platform products.
In case you want to report a new issue, please do not hesitate to create a new [Issue Tracker]
Thanks and Regards,
Onkar Mhetre
Google Cloud Support
Description
Please describe your requested enhancement. Good feature requests will solve common problems or enable new use cases.
What you would like to accomplish:
I would like to know how to manipulate IAM policies to address groups
What is the business impact you are facing?
Unable to delegate control of address groups.
Note that:
- this is NOT a terraform question; I'm merely using terraform to illustrate that something is possible, and as a convenient/concrete way to share the IDs of the various resources that I'm talking about.
EXAMPLE:
“
The question is how can I do the same thing with native gcloud commands (or the API)?
In the example from [1]:
resource "google_network_security_address_group_iam_member" "member" {
location = google_network_security_address_group.default.location
name =
role = "roles/compute.networkAdmin"
member = "user:jane@example.com"
}
This allows jane@example.com to add/remove addresses from the “default” address group... but doesn’t allow jane to do anything else to the policy. How can I do the same thing with gcloud commands?
“
How this might work:
a gcloud command equivalent to the Terraform resource google_network_security_address_group_iam_member for setting IAM policies on Network Security Address Groups (NSAGs)
If applicable, reasons why alternative solutions are not sufficient:
gcloud Limitation: Currently, gcloud doesn't support assigning IAM roles directly to individual NSAGs.
The recommendation is using the REST API methods for managing NSAG IAM policies as there's no current gcloud equivalent.
REST API: Use the following REST API methods to manage IAM policies on NSAGs:
Set IAM Policy:
Get IAM Policy:
Important note when using REST API:
The Terraform and gcloud tools typically handle ETags [1] (entity tags) automatically during policy updates. However, when using the REST API directly, you're responsible for including the correct ETag value to ensure successful policy updates.
ETags: ETags are version identifiers for resources. Including the correct ETag in your setIamPolicy request helps prevent conflicts if the policy has been modified by another process since you retrieved it with getIamPolicy.
Typical REST API Workflow for Policy Updates:
- Use getIamPolicy to retrieve the current policy for the NSAG.
- Modify the retrieved policy to reflect the desired changes.
- Include the retrieved ETag value in your setIamPolicy request along with the modified policy.
_______
[1]: