add_iam_policy_binding
Grant IAM roles to specific users or service accounts in a GCP project by adding policy bindings. Specify project ID, role, and member to assign access permissions securely.
Instructions
Add an IAM policy binding to a GCP project.
Args:
project_id: The ID of the GCP project
role: The role to grant (e.g., "roles/compute.admin")
member: The member to grant the role to (e.g., "user:email@example.com", "serviceAccount:name@project.iam.gserviceaccount.com")
Returns:
Result of the policy binding operation
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| member | Yes | ||
| project_id | Yes | ||
| role | Yes |
Implementation Reference
- The handler function that implements the 'add_iam_policy_binding' tool logic. It uses Google Cloud APIs to modify the IAM policy of a project by adding a new binding for a member to a specific role, with checks to avoid duplicates.def add_iam_policy_binding(project_id: str, role: str, member: str) -> str: """ Add an IAM policy binding to a GCP project. Args: project_id: The ID of the GCP project role: The role to grant (e.g., "roles/compute.admin") member: The member to grant the role to (e.g., "user:email@example.com", "serviceAccount:name@project.iam.gserviceaccount.com") Returns: Result of the policy binding operation """ try: from google.cloud import resourcemanager_v3 from google.iam.v1 import iam_policy_pb2, policy_pb2 # Initialize the Resource Manager client client = resourcemanager_v3.ProjectsClient() # Get the current IAM policy get_request = iam_policy_pb2.GetIamPolicyRequest( resource=f"projects/{project_id}" ) policy = client.get_iam_policy(request=get_request) # Check if the binding already exists binding_exists = False for binding in policy.bindings: if binding.role == role and member in binding.members: binding_exists = True break if binding_exists: return f"IAM policy binding already exists: {member} already has role {role} in project {project_id}." # Add the new binding binding = policy_pb2.Binding() binding.role = role binding.members.append(member) policy.bindings.append(binding) # Set the updated IAM policy set_request = iam_policy_pb2.SetIamPolicyRequest( resource=f"projects/{project_id}", policy=policy ) updated_policy = client.set_iam_policy(request=set_request) return f""" IAM policy binding added successfully: - Project: {project_id} - Role: {role} - Member: {member} """ except Exception as e: return f"Error adding IAM policy binding: {str(e)}"
- Type hints and docstring provide the input schema (project_id, role, member) and output description for the MCP tool.def add_iam_policy_binding(project_id: str, role: str, member: str) -> str: """ Add an IAM policy binding to a GCP project. Args: project_id: The ID of the GCP project role: The role to grant (e.g., "roles/compute.admin") member: The member to grant the role to (e.g., "user:email@example.com", "serviceAccount:name@project.iam.gserviceaccount.com") Returns: Result of the policy binding operation """
- src/gcp_mcp/gcp_modules/iam/tools.py:256-256 (registration)The @mcp.tool() decorator on the handler function registers it as an MCP tool named 'add_iam_policy_binding' (derived from function name).@mcp.tool()
- src/gcp_mcp/server.py:36-36 (registration)Within the module registration function, calls register_tools from iam_tools module, which defines and registers the 'add_iam_policy_binding' tool.iam_tools.register_tools(mcp)
- src/gcp_mcp/server.py:7-7 (registration)Imports the IAM tools module containing the register_tools function and the add_iam_policy_binding tool implementation.from .gcp_modules.iam import tools as iam_tools