» IAM policy for Google Cloud KMS key ring

Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:

  • google_kms_key_ring_iam_policy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.
  • google_kms_key_ring_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.
  • google_kms_key_ring_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.

» google_kms_key_ring_iam_policy

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:jane@example.com",
    ]
  }
}

resource "google_kms_key_ring_iam_policy" "key_ring" {
  key_ring_id = "your-key-ring-id"
  policy_data = data.google_iam_policy.admin.policy_data
}

» google_kms_key_ring_iam_binding

resource "google_kms_key_ring_iam_binding" "key_ring" {
  key_ring_id = "your-key-ring-id"
  role        = "roles/editor"

  members = [
    "user:jane@example.com",
  ]
}

» google_kms_key_ring_iam_member

resource "google_kms_key_ring_iam_member" "key_ring" {
  key_ring_id = "your-key-ring-id"
  role        = "roles/editor"
  member      = "user:jane@example.com"
}

» Argument Reference

The following arguments are supported:

  • key_ring_id - (Required) The key ring ID, in the form {project_id}/{location_name}/{key_ring_name} or {location_name}/{key_ring_name}. In the second form, the provider's project setting will be used as a fallback.

  • member/members - (Required) Identities that will be granted the privilege in role. Each entry can have one of the following values:

    • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
    • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
    • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
    • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
    • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
    • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
  • role - (Required) The role that should be applied. Only one google_kms_key_ring_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

  • policy_data - (Required only by google_kms_key_ring_iam_policy) The policy data generated by a google_iam_policy data source.

» Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • etag - (Computed) The etag of the key ring's IAM policy.

» Import

IAM member imports use space-delimited identifiers; the resource in question, the role, and the account. This member resource can be imported using the key_ring_id, role, and account e.g.

$ terraform import google_kms_key_ring_iam_member.key_ring_iam "your-project-id/location-name/key-ring-name roles/viewer user:foo@example.com"

IAM binding imports use space-delimited identifiers; the resource in question and the role. This binding resource can be imported using the key_ring_id and role, e.g.

$ terraform import google_kms_key_ring_iam_binding.key_ring_iam "your-project-id/location-name/key-ring-name roles/viewer"

IAM policy imports use the identifier of the resource in question. This policy resource can be imported using the key_ring_id, role, and account e.g.

$ terraform import google_kms_key_ring_iam_policy.key_ring_iam your-project-id/location-name/key-ring-name