# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # Grant GCP role Editor to project-editor # AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: project-id-editor-permissions # kpt-set: ${project-id}-editor-permissions namespace: projects annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} role: roles/editor member: project-editor # kpt-set: ${project-editor} --- # Grant GCP role IAM Security Admin to project-editor # AC-3(7) - ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: project-id-iam-security-admin-permissions # kpt-set: ${project-id}-iam-security-admin-permissions namespace: projects annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} role: roles/iam.securityAdmin member: project-editor # kpt-set: ${project-editor}