def __view_bucket_iam_members( bucket: Bucket ): # type inference on bucket, to make method more protected. policy = bucket.get_iam_policy() for role in policy: members = policy[role] print('Role: {}, Members: {}'.format(role, members))
def _bucket_iam_helper(bucket: Bucket, member: str, roles: list, add: bool = True): policy = bucket.get_iam_policy() msg = [] if add: for role in roles: policy[role].add(member) msg.append(f"Added {member} with role {role} to {bucket.name}.") else: for role in roles: policy[role].discard(member) msg.append(f"Removed {member} with role {role} from {bucket.name}.") bucket.set_iam_policy(policy) return "\n".join(msg)
def destination_bucket(gcs_bucket: storage.Bucket, sts_service_account: str): """ Yields and auto-cleans up a CGS bucket preconfigured with necessary STS service account write perms """ # Setup policy for STS member: str = f"serviceAccount:{sts_service_account}" bucketWriter = "roles/storage.legacyBucketWriter" # Prepare policy policy = gcs_bucket.get_iam_policy(requested_policy_version=3) policy.bindings.append({"role": bucketWriter, "members": {member}}) # Set policy gcs_bucket.set_iam_policy(policy) yield gcs_bucket
def revoke_expiring_gcs_access( bucket: storage.Bucket, role: str, user_email: str, prefix: Optional[str] = None ): """Revoke a bucket IAM policy change made by calling `grant_expiring_gcs_access`.""" # see https://cloud.google.com/storage/docs/access-control/using-iam-permissions#code-samples_3 policy = bucket.get_iam_policy(requested_policy_version=3) policy.version = 3 # find and remove all matching policy bindings for this user if any exist for i in range(GOOGLE_MAX_DOWNLOAD_PERMISSIONS): removed_binding = _find_and_pop_binding(policy, prefix, role, user_email) if removed_binding is None: if i == 0: warnings.warn( f"Tried to revoke a non-existent download IAM permission for {user_email}/{prefix}" ) break bucket.set_iam_policy(policy)
def grant_expiring_gcs_access( bucket: storage.Bucket, role: str, user_email: str, prefix: Optional[str] = None ): """ Grant `user_email` the provided `role` on a `bucket`, expiring after `INACTIVE_USER_DAYS` days have elapsed. By default, permissions apply to the whole bucket. Optionally, provide an object URL `prefix` to restrict this permission grant to only a portion of the objects in the given bucket. """ # see https://cloud.google.com/storage/docs/access-control/using-iam-permissions#code-samples_3 policy = bucket.get_iam_policy(requested_policy_version=3) policy.version = 3 # remove the existing binding if one exists so that we can recreate it with # an updated TTL. _find_and_pop_binding(policy, prefix, role, user_email) binding = _build_binding_with_expiry(bucket.name, prefix, role, user_email) # (re)insert the binding into the policy policy.bindings.append(binding) bucket.set_iam_policy(policy)