google_iam_policy

Generates an IAM policy document that may be referenced by and applied to other Google Cloud Platform IAM resources, such as the google_project_iam_policy resource.

Note: Please review the documentation of the resource that you will be using the datasource with. Some resources such as google_project_iam_policy and others have limitations in their API methods which are noted on their respective page.

data "google_iam_policy" "admin" {
  binding {
    role = "roles/compute.instanceAdmin"

    members = [
      "serviceAccount:your-custom-sa@your-project.iam.gserviceaccount.com",
    ]
  }

  binding {
    role = "roles/storage.objectViewer"

    members = [
      "user:alice@gmail.com",
    ]
  }

  audit_config {
    service = "cloudkms.googleapis.com"
    audit_log_configs {
      log_type = "DATA_READ",
      exempted_members = ["user:you@domain.com"]
    }

    audit_log_configs {
      log_type = "DATA_WRITE",
    }

    audit_log_configs {
      log_type = "ADMIN_READ",
    }
  }
}

This data source is used to define IAM policies to apply to other resources. Currently, defining a policy through a datasource and referencing that policy from another resource is the only way to apply an IAM policy to a resource.

Argument Reference

The following arguments are supported:

Each document configuration must have one or more binding blocks, which each accept the following arguments:

The condition block supports:

Attributes Reference

The following attribute is exported: