def _set_bucket_service_account(service_account, client, bucket_name, iam_policy): """Set service account for a bucket.""" # Add service account as objectAdmin. binding = storage.get_or_create_bucket_iam_binding(iam_policy, OBJECT_ADMIN_IAM_ROLE) members = ['serviceAccount:' + service_account['email']] if members == binding['members']: # No changes required. return iam_policy binding['members'] = members return storage.set_bucket_iam_policy(client, bucket_name, iam_policy)
def _add_users_to_bucket(info, client, bucket_name, iam_policy): """Add user account to bucket.""" ccs = sorted([ 'user:'******'members'] = sorted(list(set(binding['members']))) if binding['members'] == ccs: return iam_policy filtered_members = [ member for member in binding['members'] if member in ccs ] if len(filtered_members) != len(binding['members']): # Remove old members. binding['members'] = filtered_members iam_policy = storage.set_bucket_iam_policy(client, bucket_name, iam_policy) # We might have no binding either from start or after filtering members above. # Create a new one in those cases. binding = storage.get_or_create_bucket_iam_binding(iam_policy, OBJECT_VIEWER_IAM_ROLE) for cc in ccs: if cc in binding['members']: continue logs.log('Adding %s to bucket IAM for %s' % (cc, bucket_name)) # Add CCs one at a time since the API does not work with invalid or # non-Google emails. modified_iam_policy = storage.add_single_bucket_iam( client, iam_policy, OBJECT_VIEWER_IAM_ROLE, bucket_name, cc) if modified_iam_policy: iam_policy = modified_iam_policy binding = storage.get_bucket_iam_binding(iam_policy, OBJECT_VIEWER_IAM_ROLE) if not binding['members']: # Check that the final binding has members. Empty bindings are not valid. storage.remove_bucket_iam_binding(iam_policy, OBJECT_VIEWER_IAM_ROLE) return iam_policy
def add_service_account_to_bucket(client, bucket_name, service_account, role): """Add service account to the gcr.io images bucket.""" iam_policy = storage.get_bucket_iam_policy(client, bucket_name) if not iam_policy: return binding = storage.get_or_create_bucket_iam_binding(iam_policy, role) member = 'serviceAccount:' + service_account['email'] if member in binding['members']: # No changes required. return binding['members'].append(member) storage.set_bucket_iam_policy(client, bucket_name, iam_policy)