google-cloud-platform - Google Cloud Deployment Manager - 如何授予 pubsub 发布者对现有主题的服务帐户的访问权限

问题描述

有一个创建 PubSub 主题的现有 Deployment-1。

resources:
- name: customer-updates-topic
  type: pubsub.v1.topic
  properties:
    topic: customer-updates
  accessControl:
    gcpIamPolicy:
      bindings:
      - members:
        - serviceAccount:955977181320@cloudbuild.gserviceaccount.com
        role: roles/pubsub.publisher
      - members:
        - serviceAccount:955977181320@cloudbuild.gserviceaccount.com
        role: roles/pubsub.viewer

我需要创建自己的 Deployment-2，如下所示，我想在其中创建一个服务帐户并授予它在上述部署中创建的主题的发布者角色。

resources:
- name: customer-updates-svc
  type: iam.v1.serviceAccount
  properties:
    accountId: customer-updates-svc

- name: pubsub-topic
  type: pubsub.v1.topic
  properties:
    topic: customer-updates
  accessControl:
    gcpIamPolicy:
      bindings:
      - members:
        - serviceAccount:$(ref.customer-updates-svc.email)
        role: roles/pubsub.publisher
  metadata:
    dependsOn:
    - customer-updates-svc

我的 Deployment-2 工作正常，但它删除了 Deployment-1 设置的 gcpIamPolicy.bindings。

有没有办法将新的 gcpIamPolicy.bindings 添加/附加到现有主题？

谢谢， TM

标签： google-cloud-platformgoogle-deployment-manager