This configuration defines all the Cloud IAM roles that needs to be granted to a particular Google Cloud resource for the selected principal like service account. These configurations will let UI display to customers what IAM roles need to be granted by them. Or these configurations can be used by the UI to render a 'grant' button to do the same on behalf of the user.
Optional. Resource on which the roles needs to be granted for the principal.
helperTextTemplate
string
Optional. Template that UI can use to provide helper text to customers.
Principal
Supported Principal values.
Enums
PRINCIPAL_UNSPECIFIED
Value type is not specified.
CONNECTOR_SA
Service Account used for Connector workload identity This is either the default service account if unspecified or Service Account provided by Customers through BYOSA.
Optional. Template to uniquely represent a Google Cloud resource in a format IAM expects This is a template that can have references to other values provided in the config variable template.
Type
Resource Type definition.
Enums
TYPE_UNSPECIFIED
Value type is not specified.
GCP_PROJECT
Google Cloud Project Resource.
GCP_RESOURCE
Any Google Cloud Resource which is identified uniquely by IAM.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-06-27 UTC."],[[["\u003cp\u003eThis configuration defines Cloud IAM roles to be granted to a Google Cloud resource for a selected principal, such as a service account.\u003c/p\u003e\n"],["\u003cp\u003eThe configuration uses a JSON representation with fields for \u003ccode\u003eprincipal\u003c/code\u003e, \u003ccode\u003eroles\u003c/code\u003e, \u003ccode\u003eresource\u003c/code\u003e, and \u003ccode\u003ehelperTextTemplate\u003c/code\u003e to define role grants.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eprincipal\u003c/code\u003e field specifies the identity for whom the role is assigned, with supported values including \u003ccode\u003ePRINCIPAL_UNSPECIFIED\u003c/code\u003e and \u003ccode\u003eCONNECTOR_SA\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eresource\u003c/code\u003e field defines the target Google Cloud resource, with a \u003ccode\u003etype\u003c/code\u003e (e.g., \u003ccode\u003eGCP_PROJECT\u003c/code\u003e, \u003ccode\u003eGCP_RESOURCE\u003c/code\u003e) and a \u003ccode\u003epathTemplate\u003c/code\u003e to uniquely identify it.\u003c/p\u003e\n"],["\u003cp\u003eThe supported \u003ccode\u003eType\u003c/code\u003e enums includes \u003ccode\u003eTYPE_UNSPECIFIED\u003c/code\u003e, \u003ccode\u003eGCP_PROJECT\u003c/code\u003e, \u003ccode\u003eGCP_RESOURCE\u003c/code\u003e, \u003ccode\u003eGCP_SECRETMANAGER_SECRET\u003c/code\u003e, \u003ccode\u003eGCP_SECRETMANAGER_SECRET_VERSION\u003c/code\u003e as resource type definitions.\u003c/p\u003e\n"]]],[],null,["# RoleGrant\n\n- [JSON representation](#SCHEMA_REPRESENTATION)\n- [Principal](#Principal)\n- [Resource](#Resource)\n - [JSON representation](#Resource.SCHEMA_REPRESENTATION)\n- [Type](#Type)\n\nThis configuration defines all the Cloud IAM roles that needs to be granted to a particular Google Cloud resource for the selected principal like service account. These configurations will let UI display to customers what IAM roles need to be granted by them. Or these configurations can be used by the UI to render a 'grant' button to do the same on behalf of the user.\n\nPrincipal\n---------\n\nSupported Principal values.\n\nResource\n--------\n\nResource definition\n\nType\n----\n\nResource Type definition."]]
