RoleGrant

This configuration defines all the Cloud IAM roles that needs to be granted to a particular Google Cloud resource for the selected principal like service account. These configurations will let UI display to customers what IAM roles need to be granted by them. Or these configurations can be used by the UI to render a 'grant' button to do the same on behalf of the user.

JSON representation 
{
  "principal": enum (Principal),
  "roles": [
    string
  ],
  "resource": {
    object (Resource)
  },
  "helperTextTemplate": string
}
Fields
principal

enum (Principal)

Prinicipal/Identity for whom the role need to assigned.
roles[]

string

List of roles that need to be granted.
resource

object (Resource)

Resource on which the roles needs to be granted for the principal.
helperTextTemplate

string

Template that UI can use to provide helper text to customers.

Principal

Supported Principal values.

Enums
PRINCIPAL_UNSPECIFIED Value type is not specified.
CONNECTOR_SA Service Account used for Connector workload identity This is either the default service account if unspecified or Service Account provided by Customers through BYOSA.

Resource

Resource definition

JSON representation 
{
  "type": enum (Type),
  "pathTemplate": string
}
Fields
type

enum (Type)

Different types of resource supported.
pathTemplate

string

Template to uniquely represent a Google Cloud resource in a format IAM expects This is a template that can have references to other values provided in the config variable template.

Type

Resource Type definition.

Enums
TYPE_UNSPECIFIED Value type is not specified.
GCP_PROJECT Google Cloud Project Resource.
GCP_RESOURCE Any Google Cloud Resource which is identified uniquely by IAM.
GCP_SECRETMANAGER_SECRET Google Cloud Secret Resource.
GCP_SECRETMANAGER_SECRET_VERSION Google Cloud Secret Version Resource.