Literals for GCP IAM roles name

I want to assign the IAM role Kubernetes Engine Cluster viewer to a service account, this is the HCL code I have:

resource "google_project_iam_binding" "px_kubernetes_engine_cluster_viewer" {
    project = var.project_id
    role    = "roles/kubernetesEngineCluster.viewer"
    members = [

The problem is that whatever string in HCL maps to this role, its not “roles/kubernetesEngineCluster.viewer” or “roles/kubernetesEngineClusterViewer”

My question is this, how kind I find out the correct string I should be using for the role ?

Hi @chrisadkin,

I’m not familiar with this particular resource type and so I don’t have a direct answer to your question, but the general rules for connecting objects in this provider suggest that an argument like role expects to receive a value like what the provider would write into the self_link attribute of the corresponding other resource type.

Therefore I think a way to learn the answer to your question would be to temporarily declare a similar IAM role with Terraform and use terraform show to see what syntax is used in its self_link, and then use similar syntax for your literal role argument value here.

I’ve moved this question over into the Google Cloud Platform provider’s category in the hope that someone there will be able to provide a more direct answer to this question, but hopefully even if not the above will be a reasonable way to learn the answer indirectly.