examples/code_search/demo/cs-demo-1103/gcp_config/iam_bindings.yaml

# This config is used by iam_patch.py. It is not a DM config.
#
# Schema for this yaml file
# * bindings is a list of (members, roles) dict
# * members and roles are lists
# * each role in roles is granted to each member in members
bindings:
- members:
  - serviceAccount:cs-demo-1103-admin@code-search-demo.iam.gserviceaccount.com
  roles:
  # Grant permissions needed to push the app to a cloud repository
  - roles/source.admin
  # servicemanagement.admin is needed by CloudEndpoints controller so we can create a service to get a hostname.
  - roles/servicemanagement.admin
  # Network admin is needed to enable IAP and configure network settings like backend timeouts and health checks
  - roles/compute.networkAdmin
- members:
  - serviceAccount:cs-demo-1103-user@code-search-demo.iam.gserviceaccount.com
  roles:
  # Grant permissions needed to submit builds to Google Cloud Container Builder
  - roles/cloudbuild.builds.editor
  # roles/viewer is required for viewing the logs of a GCB build
  - roles/viewer
  # Grant permissions needed to push the app to a cloud repository
  - roles/source.admin
  - roles/storage.admin
  - roles/bigquery.admin
  - roles/dataflow.admin
- members:
  - serviceAccount:cs-demo-1103-vm@code-search-demo.iam.gserviceaccount.com
  roles:
  # VM service account is used to write logs
  - roles/logging.logWriter
  # VM service account is used to write monitoring data
  - roles/monitoring.metricWriter
  # VM service account is used to pull image from gcr
  - roles/storage.objectViewer
- members:
  - user:jlewi@google.com
  roles:
  - roles/iap.httpsResourceAccessor