Forge Home


A Puppet module to manage Google Compute IAM resources


46,068 latest version

4.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.1 (latest)
  • 0.1.0 (deleted)
released Feb 2nd 2018
This version is compatible with:
  • , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'google-giam', '0.1.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add google-giam
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install google-giam --version 0.1.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Tags: cloud, google, iam


google/giam — version 0.1.1 Feb 2nd 2018

Google Cloud IAM Puppet Module

Puppet Forge

Table of Contents

  1. Module Description - What the module does and why it is useful
  2. Setup - The basics of getting started with Google Cloud IAM
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Module Description

This Puppet module manages the resource of Google Cloud IAM. You can manage its resources using standard Puppet DSL and the module will, under the hood, ensure the state described will be reflected in the Google Cloud Platform resources.


To install this module on your Puppet Master (or Puppet Client/Agent), use the Puppet module installer:

puppet module install google-giam

Optionally you can install support to all Google Cloud Platform products at once by installing our "bundle" google-cloud module:

puppet module install google-cloud



All Google Cloud Platform modules use an unified authentication mechanism, provided by the google-gauth module. Don't worry, it is automatically installed when you install this module.

gauth_credential { 'mycred':
  path     => $cred_path, # e.g. '/home/nelsonjr/my_account.json'
  provider => serviceaccount,
  scopes   => [

Please refer to the google-gauth module for further requirements, i.e. required gems.



giam_service_account { '':
  ensure       => present,
  display_name => 'My Puppet test key',
  project      => '',
  credential   => 'mycred',


giam_service_account_key { 'test-name':
  ensure           => present,
  service_account  => 'myaccount',
  path             => '/home/nelsona/test.json',
  key_algorithm    => 'KEY_ALG_RSA_2048',
  private_key_type => 'TYPE_GOOGLE_CREDENTIALS_FILE',
  project          => '',
  credential       => 'mycred',


Public classes

About output only properties

Some fields are output-only. It means you cannot set them because they are provided by the Google Cloud Platform. Yet they are still useful to ensure the value the API is assigning (or has assigned in the past) is still the value you expect.

For example in a DNS the name servers are assigned by the Google Cloud DNS service. Checking these values once created is useful to make sure your upstream and/or root DNS masters are in sync. Or if you decide to use the object ID, e.g. the VM unique ID, for billing purposes. If the VM gets deleted and recreated it will have a different ID, despite the name being the same. If that detail is important to you you can verify that the ID of the object did not change by asserting it in the manifest.



A service account in the Identity and Access Management API.


giam_service_account { '':
  ensure       => present,
  display_name => 'My Puppet test key',
  project      => '',
  credential   => 'mycred',


giam_service_account { 'id-of-resource':
  display_name     => string,
  email            => string,
  name             => string,
  oauth2_client_id => string,
  unique_id        => string,
  project_id       => string,
  project          => string,
  credential       => reference to gauth_credential,

The name of the service account.


User specified description of service account.

Output-only properties
  • project_id: Output only. Id of the project that owns the service account.

  • unique_id: Output only. Unique and stable id of the service account

  • email: Output only. Email address of the service account.

  • oauth2_client_id: Output only. OAuth2 client id for the service account.


A service account in the Identity and Access Management API.


giam_service_account_key { 'test-name':
  ensure           => present,
  service_account  => 'myaccount',
  path             => '/home/nelsona/test.json',
  key_algorithm    => 'KEY_ALG_RSA_2048',
  private_key_type => 'TYPE_GOOGLE_CREDENTIALS_FILE',
  project          => '',
  credential       => 'mycred',


giam_service_account_key { 'id-of-resource':
  fail_if_mismatch  => boolean,
  key_algorithm     => 'KEY_ALG_UNSPECIFIED', 'KEY_ALG_RSA_1024' or 'KEY_ALG_RSA_2048',
  key_id            => string,
  name              => string,
  path              => string,
  private_key_data  => string,
  public_key_data   => string,
  service_account   => reference to giam_service_account,
  valid_after_time  => time,
  valid_before_time => time,
  project           => string,
  credential        => reference to gauth_credential,

Output format for the service account key.


Specifies the algorithm for the key.


A reference to ServiceAccount resource


The full name of the file that will hold the service account private key. The management of this file will depend on the value of sync_file parameter. File path must be absolute.


Used to ensure the deletion of the key in the absence of a key file.


If set to 'true' protects the target file from being rewritten with a new private key. By default the file is always ensured to have a valid private key on final state.

Output-only properties
  • name: Output only. The name of the key.

  • private_key_data: Output only. Private key data. Base-64 encoded.

  • public_key_data: Output only. Public key data. Base-64 encoded.

  • valid_after_time: Output only. Key can only be used after this time.

  • valid_before_time: Output only. Key can only be used before this time.


This module has been tested on:

  • RedHat 6, 7
  • CentOS 6, 7
  • Debian 7, 8
  • Ubuntu 12.04, 14.04, 16.04, 16.10
  • SLES 11-sp4, 12-sp2
  • openSUSE 13
  • Windows Server 2008 R2, 2012 R2, 2012 R2 Core, 2016 R2, 2016 R2 Core

Testing on other platforms has been minimal and cannot be guaranteed.


Automatically Generated Files

Some files in this package are automatically generated by Magic Modules.

We use a code compiler to produce this module in order to avoid repetitive tasks and improve code quality. This means all Google Cloud Platform Puppet modules use the same underlying authentication, logic, test generation, style checks, etc.

Learn more about the way to change autogenerated files by reading the file.


Contributions to this library are always welcome and highly encouraged.

See for more information on how to get started.

Running tests

This project contains tests for rspec, rspec-puppet and rubocop to verify functionality. For detailed information on using these tools, please see their respective documentation.

Testing quickstart: Ruby > 2.0.0

gem install bundler
bundle install
bundle exec rspec
bundle exec rubocop

Debugging Tests

In case you need to debug tests in this module you can set the following variables to increase verbose output:

Variable Side Effect
PUPPET_HTTP_VERBOSE=1 Prints network access information by Puppet provier.
PUPPET_HTTP_DEBUG=1 Prints the payload of network calls being made.
GOOGLE_HTTP_VERBOSE=1 Prints debug related to the network calls being made.
GOOGLE_HTTP_DEBUG=1 Prints the payload of network calls being made.

During test runs (using rspec) you can also set:

Variable Side Effect
RSPEC_DEBUG=1 Prints debug related to the tests being run.
RSPEC_HTTP_VERBOSE=1 Prints network expectations and access.