2016-08-23 20:34:54 +00:00
---
layout: "google"
page_title: "Google: google_iam_policy"
sidebar_current: "docs-google-datasource-iam-policy"
description: |-
Generates an IAM policy that can be referenced by other resources, applying
the policy to them.
---
# google\_iam\_policy
Generates an IAM policy document that may be referenced by and applied to
other Google Cloud Platform resources, such as the `google_project` resource.
```
data "google_iam_policy" "admin" {
binding {
role = "roles/compute.instanceAdmin"
2017-02-18 22:48:50 +00:00
2016-08-23 20:34:54 +00:00
members = [
"serviceAccount:your-custom-sa@your-project.iam.gserviceaccount.com",
]
}
2017-02-18 22:48:50 +00:00
2016-08-23 20:34:54 +00:00
binding {
role = "roles/storage.objectViewer"
2017-02-18 22:48:50 +00:00
2016-08-23 20:34:54 +00:00
members = [
2017-11-30 17:10:24 +00:00
"user:jane@example.com",
2016-08-23 20:34:54 +00:00
]
}
}
```
2016-11-30 09:55:49 +00:00
This data source is used to define IAM policies to apply to other resources.
2016-08-23 20:34:54 +00:00
Currently, defining a policy through a datasource and referencing that policy
from another resource is the only way to apply an IAM policy to a resource.
2017-01-13 10:51:03 +00:00
**Note:** Several restrictions apply when setting IAM policies through this API.
See the [setIamPolicy docs ](https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy )
for a list of these restrictions.
2016-08-23 20:34:54 +00:00
## Argument Reference
The following arguments are supported:
* `binding` (Required) - A nested configuration block (described below)
defining a binding to be included in the policy document. Multiple
`binding` arguments are supported.
Each document configuration must have one or more `binding` blocks, which
each accept the following arguments:
* `role` (Required) - The role/permission that will be granted to the members.
See the [IAM Roles ](https://cloud.google.com/compute/docs/access/iam ) documentation for a complete list of roles.
2017-11-30 17:10:24 +00:00
* `members` (Required) - An array of identites that will be granted the privilege in the `role` .
Each entry can have one of the following values:
2017-12-14 22:41:48 +00:00
* **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. It **can't** be used with the `google_project` resource.
* **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. It **can't** be used with the `google_project` resource.
2017-11-30 17:10:24 +00:00
* **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
* **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
* **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
* **domain:{domain}**: A Google Apps domain name that represents all the users of that domain. For example, google.com or example.com.
2016-08-23 20:34:54 +00:00
## Attributes Reference
The following attribute is exported:
* `policy_data` - The above bindings serialized in a format suitable for
referencing from a resource that supports IAM.