github.com/nathanielks/terraform@v0.6.1-0.20170509030759-13e1a62319dc/website/source/docs/providers/google/d/google_iam_policy.html.markdown

github.com/nathanielks/terraform@v0.6.1-0.20170509030759-13e1a62319dc/website/source/docs/providers/google/d/google_iam_policy.html.markdown (about)

     1  ---
     2  layout: "google"
     3  page_title: "Google: google_iam_policy"
     4  sidebar_current: "docs-google-datasource-iam-policy"
     5  description: |-
     6    Generates an IAM policy that can be referenced by other resources, applying
     7    the policy to them.
     8  ---
     9  
    10  # google\_iam\_policy
    11  
    12  Generates an IAM policy document that may be referenced by and applied to
    13  other Google Cloud Platform resources, such as the `google_project` resource.
    14  
    15  ```
    16  data "google_iam_policy" "admin" {
    17    binding {
    18      role = "roles/compute.instanceAdmin"
    19  
    20      members = [
    21        "serviceAccount:your-custom-sa@your-project.iam.gserviceaccount.com",
    22      ]
    23    }
    24  
    25    binding {
    26      role = "roles/storage.objectViewer"
    27  
    28      members = [
    29        "user:evanbrown@google.com",
    30      ]
    31    }
    32  }
    33  ```
    34  
    35  This data source is used to define IAM policies to apply to other resources.
    36  Currently, defining a policy through a datasource and referencing that policy
    37  from another resource is the only way to apply an IAM policy to a resource.
    38  
    39  **Note:** Several restrictions apply when setting IAM policies through this API.
    40  See the [setIamPolicy docs](https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy)
    41  for a list of these restrictions.
    42  
    43  ## Argument Reference
    44  
    45  The following arguments are supported:
    46  
    47  * `binding` (Required) - A nested configuration block (described below)
    48    defining a binding to be included in the policy document. Multiple
    49    `binding` arguments are supported.
    50  
    51  Each document configuration must have one or more `binding` blocks, which
    52  each accept the following arguments:
    53  
    54  * `role` (Required) - The role/permission that will be granted to the members.
    55    See the [IAM Roles](https://cloud.google.com/compute/docs/access/iam) documentation for a complete list of roles.
    56  * `members` (Required) - An array of users/principals that will be granted
    57    the privilege in the `role`. For a human user, prefix the user's e-mail
    58    address with `user:` (e.g., `user:evandbrown@gmail.com`). For a service
    59    account, prefix the service account e-mail address with `serviceAccount:`
    60    (e.g., `serviceAccount:your-service-account@your-project.iam.gserviceaccount.com`).
    61  
    62  ## Attributes Reference
    63  
    64  The following attribute is exported:
    65  
    66  * `policy_data` - The above bindings serialized in a format suitable for
    67    referencing from a resource that supports IAM.