Cloud Deployment Manager will reach end of support onDecember 31, 2025. If you currently use Deployment Manager, please migrate to Infrastructure Manager or an alternative deployment technology by December 31, 2025 to ensure your services continue without interruption.
Replacing the setIamPolicy Action with a supported resource type
Stay organized with collectionsSave and categorize content based on your preferences.
TheActions featureis an alpha
feature that expands the range of API methods that Deployment Manager can
call. Because this feature is unsupported, we recommend that youmigrate your existing usageof Actions to supported alternatives. The commonly-used Actionstorage.buckets.setIamPolicycorresponds to an existing Deployment Manager
resource type,virtual.buckets.iamMemberBinding, which you can use to replace
it.
Migrating your deployment fromstorage.buckets.setIamPolicytovirtual.buckets.iamMemberBinding
Thevirtual.buckets.iamMemberBindingresource is a virtual resource that
represents an Identity and Access Management (IAM) policy binding. Its full type isgcp-types/storage-v1:virtual.buckets.iamMemberBinding.
virtual.buckets.iamMemberBindinghas a custom implementation of the create,
read, update, and delete (CRUD) operations from the Deployment Manager
backend. It calls a similar method to the method called by the Actionstorage.buckets.setIamPolicy, but it is modeled as a normal resource instead
of an Action, and it follows the same lifecycle as a normal resource type.
To migrate your deployment, replace your usage of the Actionstorage.buckets.setIamPolicywith the resourcevirtual.buckets.iamMemberBindingin all of your deployment configuration
files. If you have multiple bindings, you might need multiple resources to
implement the same logic across them. The virtual type doesn't replace any
existing bindings on a resource, but patches the new ones in.
Usage examples for migrating manually
To complete the migration manually, refer to the following usage examples. In
certain cases, such as the application of multiple IAM bindings,
you might need to addmetadata.dependsOnor references to other resources to
theiamMemberBindingresource to avoid situations such as race conditions.
YAML + Jinja
The following is an example of how thesetIamPolicyAction is used in a
YAML configuration file. This approach is unsupported, and should be replaced
with usage of theiamMemberBindingvirtual resource:
-name:patch-iam-policyaction:gcp-types/storage-v1:storage.buckets.setIamPolicyproperties:bucket:policy:# existing policy, e.g. from a getIamPolicyActiongcpIamPolicyPatch:add:
The following sample shows the recommended usage of theiamMemberBindingvirtual resource in a YAML and Jinja template:
The following is an example of how thesetIamPolicyAction is used in a
Python template. This approach is unsupported, and should be replaced with
usage of theiamMemberBindingvirtual resource:
You can find additional samples related to thegcs-bucket.pytemplatein thecloud-foundation-toolkitrepositoryon GitHub. For a detailed demonstration of the process of converting thegcs-bucket.pytemplate from using the ActionsetIamPolicyto using the
virtual resourceiamMemberBinding, refer to theexample conversion.
You can also findusage examplesof the converted template.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThe Actions feature in Deployment Manager is an unsupported alpha feature, and migrating away from its usage is recommended.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003estorage.buckets.setIamPolicy\u003c/code\u003e Action, a commonly used method, should be replaced with the supported \u003ccode\u003evirtual.buckets.iamMemberBinding\u003c/code\u003e resource.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003evirtual.buckets.iamMemberBinding\u003c/code\u003e is a virtual resource that represents an IAM policy binding and functions as a regular resource type within Deployment Manager.\u003c/p\u003e\n"],["\u003cp\u003eMigrating from the \u003ccode\u003estorage.buckets.setIamPolicy\u003c/code\u003e Action to the \u003ccode\u003evirtual.buckets.iamMemberBinding\u003c/code\u003e resource requires updating deployment configuration files to replace the Action with the resource, with examples of both YAML and Python provided.\u003c/p\u003e\n"]]],[],null,["# Replacing the setIamPolicy Action with a supported resource type\n\nThe [Actions feature](/deployment-manager/docs/migrations/actions) is an alpha\nfeature that expands the range of API methods that Deployment Manager can\ncall. Because this feature is unsupported, we recommend that you\n[migrate your existing usage](/deployment-manager/docs/migrations/actions#migrating)\nof Actions to supported alternatives. The commonly-used Action\n`storage.buckets.setIamPolicy` corresponds to an existing Deployment Manager\nresource type, `virtual.buckets.iamMemberBinding`, which you can use to replace\nit.\n\nMigrating your deployment from `storage.buckets.setIamPolicy` to `virtual.buckets.iamMemberBinding`\n===================================================================================================\n\nThe `virtual.buckets.iamMemberBinding` resource is a virtual resource that\nrepresents an Identity and Access Management (IAM) policy binding. Its full type is\n`gcp-types/storage-v1:virtual.buckets.iamMemberBinding`.\n\n`virtual.buckets.iamMemberBinding` has a custom implementation of the create,\nread, update, and delete (CRUD) operations from the Deployment Manager\nbackend. It calls a similar method to the method called by the Action\n`storage.buckets.setIamPolicy`, but it is modeled as a normal resource instead\nof an Action, and it follows the same lifecycle as a normal resource type.\n\nTo migrate your deployment, replace your usage of the Action\n`storage.buckets.setIamPolicy` with the resource\n`virtual.buckets.iamMemberBinding` in all of your deployment configuration\nfiles. If you have multiple bindings, you might need multiple resources to\nimplement the same logic across them. The virtual type doesn't replace any\nexisting bindings on a resource, but patches the new ones in.\n\nUsage examples for migrating manually\n-------------------------------------\n\nTo complete the migration manually, refer to the following usage examples. In\ncertain cases, such as the application of multiple IAM bindings,\nyou might need to add `metadata.dependsOn` or references to other resources to\nthe `iamMemberBinding` resource to avoid situations such as race conditions. \n\n### YAML + Jinja\n\nThe following is an example of how the `setIamPolicy` Action is used in a\nYAML configuration file. This approach is unsupported, and should be replaced\nwith usage of the `iamMemberBinding` virtual resource: \n\n - name: patch-iam-policy\n action: gcp-types/storage-v1:storage.buckets.setIamPolicy\n properties:\n bucket:\n policy: # existing policy, e.g. from a getIamPolicyAction\n gcpIamPolicyPatch:\n add:\n\nThe following sample shows the recommended usage of the\n`iamMemberBinding` virtual resource in a YAML and Jinja template: \n\n {% set BUCKETNAME = \"bucket-\" + env[\"deployment\"] %}\n\n resources:\n - type: gcp-types/storage-v1:buckets\n name: {{ BUCKETNAME }}\n properties:\n location: US\n storageClass: STANDARD\n - type: gcp-types/storage-v1:virtual.buckets.iamMemberBinding\n name: test-bucket-iam\n properties:\n bucket: $(ref.{{ BUCKETNAME }}.name)\n member: projectEditor:{{ env[\"project\"] }}\n role: roles/storage.admin\n\n### Python\n\nThe following is an example of how the `setIamPolicy` Action is used in a\nPython template. This approach is unsupported, and should be replaced with\nusage of the `iamMemberBinding` virtual resource: \n\n resources.append({\n 'name': 'add-iam-policy',\n 'action': 'gcp-types/storage-v1:storage.buckets.setIamPolicy',\n 'properties': {\n 'bucket': gcs_bucket,\n 'userProject': project,\n 'policy': '$(ref.get-iam-policy)',\n 'gcpIamPolicyPatch': {\n 'add': [{\n 'roles':\n 'roles/storage.objectViewer',\n 'members': [\n 'serviceAccount:$(ref.%s.serviceAccount)' % tpu_name\n ]\n }]\n }\n }\n })\n\nThe following sample shows the recommended usage of the\n`iamMemberBinding` virtual resource in a Python template: \n\n iam_policy_resource = {\n 'name': policy_name,\n 'type': 'gcp-types/storage-v1:virtual.buckets.iamMemberBinding',\n 'properties':\n {\n 'bucket': '$(ref.{}.name)'.format(context.env['name']),\n 'role': role['role'],\n 'member': member,\n }\n }\n\nYou can find additional samples related to the\n[`gcs-bucket.py` template](https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/tree/master/dm/templates/gcs_bucket)\nin the\n[`cloud-foundation-toolkit` repository](https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit)\non GitHub. For a detailed demonstration of the process of converting the\n`gcs-bucket.py` template from using the Action `setIamPolicy` to using the\nvirtual resource `iamMemberBinding`, refer to the\n[example conversion](https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/pull/453/files).\nYou can also find\n[usage examples](https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/tree/master/dm/templates/gcs_bucket/examples)\nof the converted template."]]
