IAM policy for Google Cloud KMS key ring

Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:

google_kms_key_ring_iam_policy

resource "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"
}

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_kms_key_ring_iam_policy" "key_ring" {
  key_ring_id = google_kms_key_ring.keyring.id
  policy_data = data.google_iam_policy.admin.policy_data
}

With IAM Conditions (beta):

resource "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"
}

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:jane@example.com",
    ]

    condition {
      title       = "expires_after_2019_12_31"
      description = "Expiring at midnight of 2019-12-31"
      expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
    }
  }
}

resource "google_kms_key_ring_iam_policy" "key_ring" {
  key_ring_id = google_kms_key_ring.keyring.id
  policy_data = data.google_iam_policy.admin.policy_data
}

google_kms_key_ring_iam_binding

resource "google_kms_key_ring_iam_binding" "key_ring" {
  key_ring_id = "your-key-ring-id"
  role        = "roles/cloudkms.admin"

  members = [
    "user:jane@example.com",
  ]
}

With IAM Conditions (beta):

resource "google_kms_key_ring_iam_binding" "key_ring" {
  key_ring_id = "your-key-ring-id"
  role        = "roles/cloudkms.admin"

  members = [
    "user:jane@example.com",
  ]

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

google_kms_key_ring_iam_member

resource "google_kms_key_ring_iam_member" "key_ring" {
  key_ring_id = "your-key-ring-id"
  role        = "roles/cloudkms.admin"
  member      = "user:jane@example.com"
}

With IAM Conditions (beta):

resource "google_kms_key_ring_iam_member" "key_ring" {
  key_ring_id = "your-key-ring-id"
  role        = "roles/cloudkms.admin"
  member      = "user:jane@example.com"

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

Argument Reference

The following arguments are supported:


The condition block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Import

Importing IAM members

IAM member imports use space-delimited identifiers that contain the resource's key_ring_id, role, and member e.g.

An import block (Terraform v1.5.0 and later) can be used to import IAM members:

import {
  id = "{{project_id}}/{{location}}/{{key_ring_name}} roles/viewer user:foo@example.com"
  to = google_kms_key_ring_iam_member.default
}

The terraform import command can also be used:

$ terraform import google_kms_key_ring_iam_member.default "{{project_id}}/{{location}}/{{key_ring_name}} roles/viewer user:foo@example.com"

Importing IAM bindings

IAM binding imports use space-delimited identifiers that contain the key_ring_id and role, e.g.

An import block (Terraform v1.5.0 and later) can be used to import IAM bindings:

import {
  id = "{{project_id}}/{{location}}/{{key_ring_name}} roles/viewer"
  to = google_kms_key_ring_iam_binding.default
}

The terraform import command can also be used:

$ terraform import google_kms_key_ring_iam_binding.default "{{project_id}}/{{location}}/{{key_ring_name}} roles/viewer"

Importing IAM policies

IAM policy imports use the identifier of the Cloud KMS key ring only. For example:

An import block (Terraform v1.5.0 and later) can be used to import IAM policies:

import {
  id = "{{project_id}}/{{location}}/{{key_ring_name}}"
  to = google_kms_key_ring_iam_policy.default
}

The terraform import command can also be used:

$ terraform import google_kms_key_ring_iam_policy.default {{project_id}}/{{location}}/{{key_ring_name}}