Package com.pulumi.gcp.kms

Class KeyRingIAMMember

  • public class KeyRingIAMMember
extends com.pulumi.resources.CustomResource
    Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case: * `gcp.kms.KeyRingIAMPolicy`: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached. * `gcp.kms.KeyRingIAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved. * `gcp.kms.KeyRingIAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved. > **Note:** `gcp.kms.KeyRingIAMPolicy` **cannot** be used in conjunction with `gcp.kms.KeyRingIAMBinding` and `gcp.kms.KeyRingIAMMember` or they will fight over what your policy should be. > **Note:** `gcp.kms.KeyRingIAMBinding` resources **can be** used in conjunction with `gcp.kms.KeyRingIAMMember` resources **only if** they do not grant privilege to the same role. ## google\_kms\_key\_ring\_iam\_policy ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.kms.KeyRing; import com.pulumi.gcp.kms.KeyRingArgs; import com.pulumi.gcp.organizations.OrganizationsFunctions; import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs; import com.pulumi.gcp.kms.KeyRingIAMPolicy; import com.pulumi.gcp.kms.KeyRingIAMPolicyArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var keyring = new KeyRing("keyring", KeyRingArgs.builder() .location("global") .build()); final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder() .bindings(GetIAMPolicyBindingArgs.builder() .role("roles/editor") .members("user:[email protected]") .build()) .build()); var keyRing = new KeyRingIAMPolicy("keyRing", KeyRingIAMPolicyArgs.builder() .keyRingId(keyring.id()) .policyData(admin.applyValue(getIAMPolicyResult -> getIAMPolicyResult.policyData())) .build()); } } ``` With IAM Conditions: ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.kms.KeyRing; import com.pulumi.gcp.kms.KeyRingArgs; import com.pulumi.gcp.organizations.OrganizationsFunctions; import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs; import com.pulumi.gcp.kms.KeyRingIAMPolicy; import com.pulumi.gcp.kms.KeyRingIAMPolicyArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var keyring = new KeyRing("keyring", KeyRingArgs.builder() .location("global") .build()); final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder() .bindings(GetIAMPolicyBindingArgs.builder() .role("roles/editor") .members("user:[email protected]") .condition(GetIAMPolicyBindingConditionArgs.builder() .title("expires_after_2019_12_31") .description("Expiring at midnight of 2019-12-31") .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")") .build()) .build()) .build()); var keyRing = new KeyRingIAMPolicy("keyRing", KeyRingIAMPolicyArgs.builder() .keyRingId(keyring.id()) .policyData(admin.applyValue(getIAMPolicyResult -> getIAMPolicyResult.policyData())) .build()); } } ``` ## google\_kms\_key\_ring\_iam\_binding ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.kms.KeyRingIAMBinding; import com.pulumi.gcp.kms.KeyRingIAMBindingArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var keyRing = new KeyRingIAMBinding("keyRing", KeyRingIAMBindingArgs.builder() .keyRingId("your-key-ring-id") .members("user:[email protected]") .role("roles/cloudkms.admin") .build()); } } ``` With IAM Conditions: ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.kms.KeyRingIAMBinding; import com.pulumi.gcp.kms.KeyRingIAMBindingArgs; import com.pulumi.gcp.kms.inputs.KeyRingIAMBindingConditionArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var keyRing = new KeyRingIAMBinding("keyRing", KeyRingIAMBindingArgs.builder() .condition(KeyRingIAMBindingConditionArgs.builder() .description("Expiring at midnight of 2019-12-31") .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")") .title("expires_after_2019_12_31") .build()) .keyRingId("your-key-ring-id") .members("user:[email protected]") .role("roles/cloudkms.admin") .build()); } } ``` ## google\_kms\_key\_ring\_iam\_member ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.kms.KeyRingIAMMember; import com.pulumi.gcp.kms.KeyRingIAMMemberArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var keyRing = new KeyRingIAMMember("keyRing", KeyRingIAMMemberArgs.builder() .keyRingId("your-key-ring-id") .member("user:[email protected]") .role("roles/cloudkms.admin") .build()); } } ``` With IAM Conditions: ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.kms.KeyRingIAMMember; import com.pulumi.gcp.kms.KeyRingIAMMemberArgs; import com.pulumi.gcp.kms.inputs.KeyRingIAMMemberConditionArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var keyRing = new KeyRingIAMMember("keyRing", KeyRingIAMMemberArgs.builder() .condition(KeyRingIAMMemberConditionArgs.builder() .description("Expiring at midnight of 2019-12-31") .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")") .title("expires_after_2019_12_31") .build()) .keyRingId("your-key-ring-id") .member("user:[email protected]") .role("roles/cloudkms.admin") .build()); } } ``` ## Import ### Importing IAM policies IAM policy imports use the identifier of the Cloud KMS key ring only. For example* `{{project_id}}/{{location}}/{{key_ring_name}}` An [`import` block](https://developer.hashicorp.com/terraform/language/import) (Terraform v1.5.0 and later) can be used to import IAM policiestf import { id = "{{project_id}}/{{location}}/{{key_ring_name}}" to = google_kms_key_ring_iam_policy.default } ```sh $ pulumi import gcp:kms/keyRingIAMMember:KeyRingIAMMember The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can also be used ``` ```sh $ pulumi import gcp:kms/keyRingIAMMember:KeyRingIAMMember default {{project_id}}/{{location}}/{{key_ring_name}} ```

    • Nested Class Summary

      • Nested classes/interfaces inherited from class com.pulumi.resources.CustomResource

        com.pulumi.resources.CustomResource.CustomResourceInternal

      • Nested classes/interfaces inherited from class com.pulumi.resources.Resource

        com.pulumi.resources.Resource.LazyField<T extends java.lang.Object>, com.pulumi.resources.Resource.LazyFields, com.pulumi.resources.Resource.ResourceInternal

    • Field Summary

      • Fields inherited from class com.pulumi.resources.Resource

        childResources, remote

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      com.pulumi.core.Output<java.util.Optional<KeyRingIAMMemberCondition>> condition()  
      com.pulumi.core.Output<java.lang.String> etag()  
      static KeyRingIAMMember get​(java.lang.String name, com.pulumi.core.Output<java.lang.String> id, KeyRingIAMMemberState state, com.pulumi.resources.CustomResourceOptions options)
      Get an existing Host resource's state with the given name, ID, and optional extra properties used to qualify the lookup.
      com.pulumi.core.Output<java.lang.String> keyRingId()  
      com.pulumi.core.Output<java.lang.String> member()  
      com.pulumi.core.Output<java.lang.String> role()  

      • Methods inherited from class com.pulumi.resources.CustomResource

        getId, id, idFuture

      • Methods inherited from class com.pulumi.resources.Resource

        getChildResources, getResourceName, getResourceType, getUrn, pulumiChildResources, pulumiResourceName, pulumiResourceType, urn

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • KeyRingIAMMember

        public KeyRingIAMMember​(java.lang.String name)
        Parameters:
        name - The _unique_ name of the resulting resource.

      • KeyRingIAMMember

        public KeyRingIAMMember​(java.lang.String name,
                        KeyRingIAMMemberArgs args)
        Parameters:
        name - The _unique_ name of the resulting resource.
        args - The arguments to use to populate this resource's properties.

      • KeyRingIAMMember

        public KeyRingIAMMember​(java.lang.String name,
                        KeyRingIAMMemberArgs args,
                        @Nullable
                        com.pulumi.resources.CustomResourceOptions options)
        Parameters:
        name - The _unique_ name of the resulting resource.
        args - The arguments to use to populate this resource's properties.
        options - A bag of options that control this resource's behavior.

    • Method Detail

      • condition

        public com.pulumi.core.Output<java.util.Optional<KeyRingIAMMemberCondition>> condition()
        Returns:
        ) An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

      • etag

        public com.pulumi.core.Output<java.lang.String> etag()
        Returns:
        (Computed) The etag of the key ring's IAM policy.

      • keyRingId

        public com.pulumi.core.Output<java.lang.String> keyRingId()
        Returns:
        The key ring ID, in the form `{project_id}/{location_name}/{key_ring_name}` or `{location_name}/{key_ring_name}`. In the second form, the provider's project setting will be used as a fallback. * `member/members` - (Required) Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, [email protected] or [email protected]. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, [email protected]. * **group:{emailid}**: An email address that represents a Google group. For example, [email protected]. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

      • member

        public com.pulumi.core.Output<java.lang.String> member()

      • role

        public com.pulumi.core.Output<java.lang.String> role()
        Returns:
        The role that should be applied. Only one `gcp.kms.KeyRingIAMBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

      • get

        public static KeyRingIAMMember get​(java.lang.String name,
                                   com.pulumi.core.Output<java.lang.String> id,
                                   @Nullable
                                   KeyRingIAMMemberState state,
                                   @Nullable
                                   com.pulumi.resources.CustomResourceOptions options)
        Get an existing Host resource's state with the given name, ID, and optional extra properties used to qualify the lookup.
        Parameters:
        name - The _unique_ name of the resulting resource.
        id - The _unique_ provider ID of the resource to lookup.
        state -
        options - Optional settings to control the behavior of the CustomResource.