Three different resources help you manage IAM policies on bigtable tables. Each of these resources serves a different use case:
google_bigtable_table_iam_policy
: Authoritative. Sets the IAM policy for the tables and replaces any existing policy already attached.google_bigtable_table_iam_binding
: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the table are preserved.google_bigtable_table_iam_member
: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the table are preserved.data "google_iam_policy" "admin" {
binding {
role = "roles/bigtable.user"
members = [
"user:jane@example.com",
]
}
}
resource "google_bigtable_table_iam_policy" "editor" {
project = "your-project"
instance = "your-bigtable-instance"
table = "your-bigtable-table"
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_bigtable_table_iam_binding" "editor" {
table = "your-bigtable-table"
instance = "your-bigtable-instance"
role = "roles/bigtable.user"
members = [
"user:jane@example.com",
]
}
resource "google_bigtable_table_iam_member" "editor" {
table = "your-bigtable-table"
instance = "your-bigtable-instance"
role = "roles/bigtable.user"
member = "user:jane@example.com"
}
The following arguments are supported:
instance
- (Required) The name or relative resource id of the instance that owns the table.
table
- (Required) The name or relative resource id of the table to manage IAM policies for.
For google_bigtable_table_iam_member
or google_bigtable_table_iam_binding
:
member/members
- (Required) Identities that will be granted the privilege in role
.
Each entry can have one of the following values:
role
- (Required) The role that should be applied. Only one
google_bigtable_table_iam_binding
can be used per role. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}
. Read more about roles here.
google_bigtable_table_iam_policy
only:
policy_data
- (Required) The policy data generated by a google_iam_policy
data source.project
- (Optional) The project in which the table belongs. If it
is not provided, Terraform will use the provider default.In addition to the arguments listed above, the following computed attributes are exported:
etag
- (Computed) The etag of the tables's IAM policy.IAM member imports use space-delimited identifiers that contain the resource's table
, role
, and member
. For example:
"projects/{project}/instances/{instance}/tables/{table} roles/editor user:jane@example.com"
An import
block (Terraform v1.5.0 and later) can be used to import IAM members:
import {
id = "projects/{project}/instances/{instance}/tables/{table} roles/editor user:jane@example.com"
to = google_bigtable_table_iam_member.default
}
The terraform import
command can also be used:
$ terraform import google_bigtable_table_iam_member.default "projects/{project}/instances/{instance}/tables/{table} roles/editor user:jane@example.com"
IAM binding imports use space-delimited identifiers that contain the resource's table
and role
. For example:
"projects/{project}/instances/{instance}/tables/{table} roles/editor"
An import
block (Terraform v1.5.0 and later) can be used to import IAM bindings:
import {
id = "projects/{project}/instances/{instance}/tables/{table} roles/editor"
to = google_bigtable_table_iam_binding.default
}
The terraform import
command can also be used:
$ terraform import google_bigtable_table_iam_binding.default "projects/{project}/instances/{instance}/tables/{table} roles/editor"
IAM policy imports use the table
identifier of the Bigtable Table resource only. For example:
"projects/{project}/instances/{instance}/tables/{table}"
An import
block (Terraform v1.5.0 and later) can be used to import IAM policies:
import {
id = "projects/{project}/instances/{instance}/tables/{table}"
to = google_bigtable_table_iam_policy.default
}
The terraform import
command can also be used:
$ terraform import google_bigtable_table_iam_policy.default projects/{project}/instances/{instance}/tables/{table}