pulumi-gcp-kotlin/com.pulumi.gcp.kms.kotlin/CryptoKeyIAMBinding

CryptoKeyIAMBinding

class CryptoKeyIAMBinding : KotlinCustomResource

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

gcp.kms.CryptoKeyIAMPolicy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.
gcp.kms.CryptoKeyIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.
gcp.kms.CryptoKeyIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.

Note: gcp.kms.CryptoKeyIAMPolicy cannot be used in conjunction with gcp.kms.CryptoKeyIAMBinding and gcp.kms.CryptoKeyIAMMember or they will fight over what your policy should be. Note: gcp.kms.CryptoKeyIAMBinding resources can be used in conjunction with gcp.kms.CryptoKeyIAMMember resources only if they do not grant privilege to the same role.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const keyring = new gcp.kms.KeyRing("keyring", {location: "global"});
const key = new gcp.kms.CryptoKey("key", {
    keyRing: keyring.id,
    rotationPeriod: "100000s",
});
const admin = gcp.organizations.getIAMPolicy({
    bindings: [{
        role: "roles/cloudkms.cryptoKeyEncrypter",
        members: ["user:jane@example&#46;com"],
    }],
});
const cryptoKey = new gcp.kms.CryptoKeyIAMPolicy("cryptoKey", {
    cryptoKeyId: key.id,
    policyData: admin.then(admin => admin.policyData),
});

import pulumi
import pulumi_gcp as gcp
keyring = gcp.kms.KeyRing("keyring", location="global")
key = gcp.kms.CryptoKey("key",
    key_ring=keyring.id,
    rotation_period="100000s")
admin = gcp.organizations.get_iam_policy(bindings=[gcp.organizations.GetIAMPolicyBindingArgs(
    role="roles/cloudkms.cryptoKeyEncrypter",
    members=["user:jane@example&#46;com"],
)])
crypto_key = gcp.kms.CryptoKeyIAMPolicy("cryptoKey",
    crypto_key_id=key.id,
    policy_data=admin.policy_data)

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var keyring = new Gcp.Kms.KeyRing("keyring", new()
    {
        Location = "global",
    });
    var key = new Gcp.Kms.CryptoKey("key", new()
    {
        KeyRing = keyring.Id,
        RotationPeriod = "100000s",
    });
    var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
    {
        Bindings = new[]
        {
            new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
            {
                Role = "roles/cloudkms.cryptoKeyEncrypter",
                Members = new[]
                {
                    "user:jane@example.com",
                },
            },
        },
    });
    var cryptoKey = new Gcp.Kms.CryptoKeyIAMPolicy("cryptoKey", new()
    {
        CryptoKeyId = key.Id,
        PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
    });
});

package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
			Location: pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		key, err := kms.NewCryptoKey(ctx, "key", &kms.CryptoKeyArgs{
			KeyRing:        keyring.ID(),
			RotationPeriod: pulumi.String("100000s"),
		})
		if err != nil {
			return err
		}
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/cloudkms.cryptoKeyEncrypter",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKeyIAMPolicy(ctx, "cryptoKey", &kms.CryptoKeyIAMPolicyArgs{
			CryptoKeyId: key.ID(),
			PolicyData:  *pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.KeyRing;
import com.pulumi.gcp.kms.KeyRingArgs;
import com.pulumi.gcp.kms.CryptoKey;
import com.pulumi.gcp.kms.CryptoKeyArgs;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMPolicy;
import com.pulumi.gcp.kms.CryptoKeyIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var keyring = new KeyRing("keyring", KeyRingArgs.builder()
            .location("global")
            .build());
        var key = new CryptoKey("key", CryptoKeyArgs.builder()
            .keyRing(keyring.id())
            .rotationPeriod("100000s")
            .build());
        final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
            .bindings(GetIAMPolicyBindingArgs.builder()
                .role("roles/cloudkms.cryptoKeyEncrypter")
                .members("user:jane@example.com")
                .build())
            .build());
        var cryptoKey = new CryptoKeyIAMPolicy("cryptoKey", CryptoKeyIAMPolicyArgs.builder()
            .cryptoKeyId(key.id())
            .policyData(admin.applyValue(getIAMPolicyResult -> getIAMPolicyResult.policyData()))
            .build());
    }
}

resources:
  keyring:
    type: gcp:kms:KeyRing
    properties:
      location: global
  key:
    type: gcp:kms:CryptoKey
    properties:
      keyRing: ${keyring.id}
      rotationPeriod: 100000s
  cryptoKey:
    type: gcp:kms:CryptoKeyIAMPolicy
    properties:
      cryptoKeyId: ${key.id}
      policyData: ${admin.policyData}
variables:
  admin:
    fn::invoke:
      Function: gcp:organizations:getIAMPolicy
      Arguments:
        bindings:
          - role: roles/cloudkms.cryptoKeyEncrypter
            members:
              - user:jane@example.com

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
    bindings: [{
        condition: {
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
            title: "expires_after_2019_12_31",
        },
        members: ["user:jane@example&#46;com"],
        role: "roles/cloudkms.cryptoKeyEncrypter",
    }],
});

import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[gcp.organizations.GetIAMPolicyBindingArgs(
    condition=gcp.organizations.GetIAMPolicyBindingConditionArgs(
        description="Expiring at midnight of 2019-12-31",
        expression="request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title="expires_after_2019_12_31",
    ),
    members=["user:jane@example&#46;com"],
    role="roles/cloudkms.cryptoKeyEncrypter",
)])

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
    {
        Bindings = new[]
        {
            new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
            {
                Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionInputArgs
                {
                    Description = "Expiring at midnight of 2019-12-31",
                    Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
                    Title = "expires_after_2019_12_31",
                },
                Members = new[]
                {
                    "user:jane@example.com",
                },
                Role = "roles/cloudkms.cryptoKeyEncrypter",
            },
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Condition: {
						Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
						Expression:  "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
						Title:       "expires_after_2019_12_31",
					},
					Members: []string{
						"user:jane@example.com",
					},
					Role: "roles/cloudkms.cryptoKeyEncrypter",
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
            .bindings(GetIAMPolicyBindingArgs.builder()
                .condition(GetIAMPolicyBindingConditionArgs.builder()
                    .description("Expiring at midnight of 2019-12-31")
                    .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
                    .title("expires_after_2019_12_31")
                    .build())
                .members("user:jane@example.com")
                .role("roles/cloudkms.cryptoKeyEncrypter")
                .build())
            .build());
    }
}

variables:
  admin:
    fn::invoke:
      Function: gcp:organizations:getIAMPolicy
      Arguments:
        bindings:
          - condition:
              description: Expiring at midnight of 2019-12-31
              expression: request.time < timestamp("2020-01-01T00:00:00Z")
              title: expires_after_2019_12_31
            members:
              - user:jane@example.com
            role: roles/cloudkms.cryptoKeyEncrypter

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cryptoKey = new gcp.kms.CryptoKeyIAMBinding("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    members: ["user:jane@example&#46;com"],
});

import pulumi
import pulumi_gcp as gcp
crypto_key = gcp.kms.CryptoKeyIAMBinding("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    members=["user:jane@example&#46;com"])

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var cryptoKey = new Gcp.Kms.CryptoKeyIAMBinding("cryptoKey", new()
    {
        CryptoKeyId = google_kms_crypto_key.Key.Id,
        Role = "roles/cloudkms.cryptoKeyEncrypter",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewCryptoKeyIAMBinding(ctx, "cryptoKey", &kms.CryptoKeyIAMBindingArgs{
			CryptoKeyId: pulumi.Any(google_kms_crypto_key.Key.Id),
			Role:        pulumi.String("roles/cloudkms.cryptoKeyEncrypter"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.CryptoKeyIAMBinding;
import com.pulumi.gcp.kms.CryptoKeyIAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var cryptoKey = new CryptoKeyIAMBinding("cryptoKey", CryptoKeyIAMBindingArgs.builder()
            .cryptoKeyId(google_kms_crypto_key.key().id())
            .role("roles/cloudkms.cryptoKeyEncrypter")
            .members("user:jane@example.com")
            .build());
    }
}

resources:
  cryptoKey:
    type: gcp:kms:CryptoKeyIAMBinding
    properties:
      cryptoKeyId: ${google_kms_crypto_key.key.id}
      role: roles/cloudkms.cryptoKeyEncrypter
      members:
        - user:jane@example.com

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cryptoKey = new gcp.kms.CryptoKeyIAMBinding("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    members: ["user:jane@example&#46;com"],
    condition: {
        title: "expires_after_2019_12_31",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

import pulumi
import pulumi_gcp as gcp
crypto_key = gcp.kms.CryptoKeyIAMBinding("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    members=["user:jane@example&#46;com"],
    condition=gcp.kms.CryptoKeyIAMBindingConditionArgs(
        title="expires_after_2019_12_31",
        description="Expiring at midnight of 2019-12-31",
        expression="request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    ))

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var cryptoKey = new Gcp.Kms.CryptoKeyIAMBinding("cryptoKey", new()
    {
        CryptoKeyId = google_kms_crypto_key.Key.Id,
        Role = "roles/cloudkms.cryptoKeyEncrypter",
        Members = new[]
        {
            "user:jane@example.com",
        },
        Condition = new Gcp.Kms.Inputs.CryptoKeyIAMBindingConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewCryptoKeyIAMBinding(ctx, "cryptoKey", &kms.CryptoKeyIAMBindingArgs{
			CryptoKeyId: pulumi.Any(google_kms_crypto_key.Key.Id),
			Role:        pulumi.String("roles/cloudkms.cryptoKeyEncrypter"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &kms.CryptoKeyIAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.CryptoKeyIAMBinding;
import com.pulumi.gcp.kms.CryptoKeyIAMBindingArgs;
import com.pulumi.gcp.kms.inputs.CryptoKeyIAMBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var cryptoKey = new CryptoKeyIAMBinding("cryptoKey", CryptoKeyIAMBindingArgs.builder()
            .cryptoKeyId(google_kms_crypto_key.key().id())
            .role("roles/cloudkms.cryptoKeyEncrypter")
            .members("user:jane@example.com")
            .condition(CryptoKeyIAMBindingConditionArgs.builder()
                .title("expires_after_2019_12_31")
                .description("Expiring at midnight of 2019-12-31")
                .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
                .build())
            .build());
    }
}

resources:
  cryptoKey:
    type: gcp:kms:CryptoKeyIAMBinding
    properties:
      cryptoKeyId: ${google_kms_crypto_key.key.id}
      role: roles/cloudkms.cryptoKeyEncrypter
      members:
        - user:jane@example.com
      condition:
        title: expires_after_2019_12_31
        description: Expiring at midnight of 2019-12-31
        expression: request.time < timestamp("2020-01-01T00:00:00Z")

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cryptoKey = new gcp.kms.CryptoKeyIAMMember("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp
crypto_key = gcp.kms.CryptoKeyIAMMember("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    member="user:jane@example.com")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var cryptoKey = new Gcp.Kms.CryptoKeyIAMMember("cryptoKey", new()
    {
        CryptoKeyId = google_kms_crypto_key.Key.Id,
        Role = "roles/cloudkms.cryptoKeyEncrypter",
        Member = "user:jane@example.com",
    });
});

package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewCryptoKeyIAMMember(ctx, "cryptoKey", &kms.CryptoKeyIAMMemberArgs{
			CryptoKeyId: pulumi.Any(google_kms_crypto_key.Key.Id),
			Role:        pulumi.String("roles/cloudkms.cryptoKeyEncrypter"),
			Member:      pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var cryptoKey = new CryptoKeyIAMMember("cryptoKey", CryptoKeyIAMMemberArgs.builder()
            .cryptoKeyId(google_kms_crypto_key.key().id())
            .role("roles/cloudkms.cryptoKeyEncrypter")
            .member("user:jane@example.com")
            .build());
    }
}

resources:
  cryptoKey:
    type: gcp:kms:CryptoKeyIAMMember
    properties:
      cryptoKeyId: ${google_kms_crypto_key.key.id}
      role: roles/cloudkms.cryptoKeyEncrypter
      member: user:jane@example.com

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const cryptoKey = new gcp.kms.CryptoKeyIAMMember("cryptoKey", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypter",
    member: "user:jane@example.com",
    condition: {
        title: "expires_after_2019_12_31",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

import pulumi
import pulumi_gcp as gcp
crypto_key = gcp.kms.CryptoKeyIAMMember("cryptoKey",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypter",
    member="user:jane@example.com",
    condition=gcp.kms.CryptoKeyIAMMemberConditionArgs(
        title="expires_after_2019_12_31",
        description="Expiring at midnight of 2019-12-31",
        expression="request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    ))

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
    var cryptoKey = new Gcp.Kms.CryptoKeyIAMMember("cryptoKey", new()
    {
        CryptoKeyId = google_kms_crypto_key.Key.Id,
        Role = "roles/cloudkms.cryptoKeyEncrypter",
        Member = "user:jane@example.com",
        Condition = new Gcp.Kms.Inputs.CryptoKeyIAMMemberConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewCryptoKeyIAMMember(ctx, "cryptoKey", &kms.CryptoKeyIAMMemberArgs{
			CryptoKeyId: pulumi.Any(google_kms_crypto_key.Key.Id),
			Role:        pulumi.String("roles/cloudkms.cryptoKeyEncrypter"),
			Member:      pulumi.String("user:jane@example.com"),
			Condition: &kms.CryptoKeyIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import com.pulumi.gcp.kms.inputs.CryptoKeyIAMMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var cryptoKey = new CryptoKeyIAMMember("cryptoKey", CryptoKeyIAMMemberArgs.builder()
            .cryptoKeyId(google_kms_crypto_key.key().id())
            .role("roles/cloudkms.cryptoKeyEncrypter")
            .member("user:jane@example.com")
            .condition(CryptoKeyIAMMemberConditionArgs.builder()
                .title("expires_after_2019_12_31")
                .description("Expiring at midnight of 2019-12-31")
                .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
                .build())
            .build());
    }
}

resources:
  cryptoKey:
    type: gcp:kms:CryptoKeyIAMMember
    properties:
      cryptoKeyId: ${google_kms_crypto_key.key.id}
      role: roles/cloudkms.cryptoKeyEncrypter
      member: user:jane@example.com
      condition:
        title: expires_after_2019_12_31
        description: Expiring at midnight of 2019-12-31
        expression: request.time < timestamp("2020-01-01T00:00:00Z")

Import

IAM member imports use space-delimited identifiers; the resource in question, the role, and the account. This member resource can be imported using the crypto_key_id, role, and member identity e.g.

$ pulumi import gcp:kms/cryptoKeyIAMBinding:CryptoKeyIAMBinding crypto_key "your-project-id/location-name/key-ring-name/key-name roles/viewer user:foo@example.com"

IAM binding imports use space-delimited identifiers; first the resource in question and then the role. These bindings can be imported using the crypto_key_id and role, e.g.

$ pulumi import gcp:kms/cryptoKeyIAMBinding:CryptoKeyIAMBinding crypto_key "your-project-id/location-name/key-ring-name/key-name roles/editor"

IAM policy imports use the identifier of the resource in question. This policy resource can be imported using the crypto_key_id, e.g.

$ pulumi import gcp:kms/cryptoKeyIAMBinding:CryptoKeyIAMBinding crypto_key your-project-id/location-name/key-ring-name/key-name

Properties

condition

val condition: Output<CryptoKeyIAMBindingCondition>?

) An IAM Condition for a given binding. Structure is documented below.

cryptoKeyId

val cryptoKeyId: Output<String>

The crypto key ID, in the form {project_id}/{location_name}/{key_ring_name}/{crypto_key_name} or {location_name}/{key_ring_name}/{crypto_key_name}. In the second form, the provider's project setting will be used as a fallback.

etag

val etag: Output<String>

(Computed) The etag of the project's IAM policy.

val id: Output<String>

members

val members: Output<List<String>>

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

role

val role: Output<String>

The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

urn

val urn: Output<String>