def Run(self, args): client = namespaces.NamespacesClient() namespace_ref = args.CONCEPTS.namespace.Parse() policy = iam_util.ParsePolicyFile(args.policy_file, client.msgs.Policy) iam_util.LogSetIamPolicy(namespace_ref.Name(), _RESOURCE_TYPE) return client.SetIamPolicy(namespace_ref, policy)
def Run(self, args): holder = base_classes.ComputeApiHolder(self.ReleaseTrack()) client = holder.client policy = iam_util.ParsePolicyFile(args.policy_file, client.messages.Policy) subnetwork_ref = SetIamPolicy.SUBNETWORK_ARG.ResolveAsResource( args, holder.resources, scope_lister=compute_flags.GetDefaultScopeLister(client)) # SetIamPolicy always returns either an error or the newly set policy. # If the policy was just set to the empty policy it returns a valid empty # policy (just an etag.) # It is not possible to have multiple policies for one resource. result = client.MakeRequests( [(client.apitools_client.subnetworks, 'SetIamPolicy', client.messages.ComputeSubnetworksSetIamPolicyRequest( regionSetPolicyRequest=client.messages.RegionSetPolicyRequest( policy=policy), project=subnetwork_ref.project, region=subnetwork_ref.region, resource=subnetwork_ref.subnetwork))])[0] iam_util.LogSetIamPolicy(subnetwork_ref.RelativeName(), 'subnetwork') return result
def Run(self, args): service = tags.TagValuesService() messages = tags.TagMessages() if args.RESOURCE_NAME.find('tagValues/') == 0: tag_value = args.RESOURCE_NAME else: tag_value = tag_utils.GetTagValueFromNamespacedName( args.RESOURCE_NAME).name get_iam_policy_req = ( messages.CloudresourcemanagerTagValuesGetIamPolicyRequest( resource=tag_value)) policy = service.GetIamPolicy(get_iam_policy_req) condition = iam_util.ValidateAndExtractConditionMutexRole(args) iam_util.AddBindingToIamPolicyWithCondition(messages.Binding, messages.Expr, policy, args.member, args.role, condition) set_iam_policy_request = messages.SetIamPolicyRequest(policy=policy) request = messages.CloudresourcemanagerTagValuesSetIamPolicyRequest( resource=tag_value, setIamPolicyRequest=set_iam_policy_request) result = service.SetIamPolicy(request) iam_util.LogSetIamPolicy(tag_value, 'TagValue') return result
def SetIamPolicy(self, organization_id, policy_file): """Sets the IAM policy for an organization. Args: organization_id: organization id. policy_file: A JSON or YAML file containing the IAM policy. Returns: The output from the SetIamPolicy API call. """ policy = iam_util.ParsePolicyFile(policy_file, self.messages.Policy) policy.version = iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file) # To preserve the existing set-iam-policy behavior of always overwriting # bindings and etag, add bindings and etag to update_mask. if 'bindings' not in update_mask: update_mask += ',bindings' if 'etag' not in update_mask: update_mask += ',etag' set_iam_policy_request = self.messages.SetIamPolicyRequest( policy=policy, updateMask=update_mask) policy_request = ( self.messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest( organizationsId=organization_id, setIamPolicyRequest=set_iam_policy_request)) result = self.client.organizations.SetIamPolicy(policy_request) iam_util.LogSetIamPolicy(organization_id, 'organization') return result
def Run(self, args): holder = base_classes.ComputeApiHolder(self.ReleaseTrack()) client = holder.client policy = iam_util.ParsePolicyFile(args.policy_file, client.messages.Policy) instance_ref = flags.INSTANCE_ARG.ResolveAsResource( args, holder.resources, scope_lister=compute_flags.GetDefaultScopeLister(client)) # TODO(b/78371568): Construct the ZoneSetPolicyRequest directly # out of the parsed policy instead of setting 'bindings' and 'etags'. # This current form is required so gcloud won't break while Compute # roll outs the breaking change to SetIamPolicy (b/75971480) # SetIamPolicy always returns either an error or the newly set policy. # If the policy was just set to the empty policy it returns a valid empty # policy (just an etag.) # It is not possible to have multiple policies for one resource. result = client.MakeRequests([ (client.apitools_client.instances, 'SetIamPolicy', client.messages.ComputeInstancesSetIamPolicyRequest( zoneSetPolicyRequest=client.messages.ZoneSetPolicyRequest( bindings=policy.bindings, etag=policy.etag), project=instance_ref.project, resource=instance_ref.instance, zone=instance_ref.zone)) ])[0] iam_util.LogSetIamPolicy(instance_ref.RelativeName(), 'instance') return result
def Run(self, args): client = namespaces.NamespacesClient() namespace_ref = args.CONCEPTS.namespace.Parse() iam_util.LogSetIamPolicy(namespace_ref.Name(), _RESOURCE_TYPE) return client.AddIamPolicyBinding(namespace_ref, args.member, args.role)
def Run(self, args): holder = base_classes.ComputeApiHolder(self.ReleaseTrack()) client = holder.client policy = iam_util.ParsePolicyFile(args.policy_file, client.messages.Policy) instance_ref = flags.INSTANCE_ARG.ResolveAsResource( args, holder.resources, scope_lister=compute_flags.GetDefaultScopeLister(client)) # SetIamPolicy always returns either an error or the newly set policy. # If the policy was just set to the empty policy it returns a valid empty # policy (just an etag.) # It is not possible to have multiple policies for one resource. result = client.MakeRequests([ (client.apitools_client.instances, 'SetIamPolicy', client.messages.ComputeInstancesSetIamPolicyRequest( zoneSetPolicyRequest=client.messages.ZoneSetPolicyRequest( policy=policy), project=instance_ref.project, resource=instance_ref.instance, zone=instance_ref.zone)) ])[0] iam_util.LogSetIamPolicy(instance_ref.RelativeName(), 'instance') return result
def Run(self_, args): """Called when command is executed.""" # Default Policy message and set IAM request message field names policy_type_name = 'Policy' policy_request_path = 'setIamPolicyRequest' # Use Policy message and set IAM request field name overrides for API's # with non-standard naming (if provided) if self.spec.iam: policy_type_name = ( self.spec.iam.message_type_overrides['policy'] or policy_type_name) policy_request_path = ( self.spec.iam.set_iam_policy_request_path or policy_request_path) policy_field_path = policy_request_path + '.policy' policy_type = self.method.GetMessageByName(policy_type_name) if not policy_type: raise ValueError( 'Policy type [{}] not found.'.format(policy_type_name)) policy, update_mask = iam_util.ParsePolicyFileWithUpdateMask( args.policy_file, policy_type) self.spec.request.static_fields[policy_field_path] = policy self._SetPolicyUpdateMask(update_mask) ref, response = self._CommonRun(args) iam_util.LogSetIamPolicy(ref.Name(), self.resource_type) return self._HandleResponse(response, args)
def SetIamPolicy(models_client, model, policy_file): model_ref = ParseModel(model) policy = iam_util.ParsePolicyFile(policy_file, models_client.messages.GoogleIamV1Policy) update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file) iam_util.LogSetIamPolicy(model_ref.Name(), 'model') return models_client.SetIamPolicy(model_ref, policy, update_mask)
def Run(self, args): labelkeys_service = labelmanager.LabelKeysService() labelmanager_messages = labelmanager.LabelManagerMessages() if args.IsSpecified('label_parent'): label_key = utils.GetLabelKeyFromDisplayName( args.LABEL_KEY_ID, args.label_parent) else: label_key = args.LABEL_KEY_ID get_iam_policy_req = ( labelmanager_messages.LabelmanagerLabelKeysGetIamPolicyRequest( resource=label_key)) policy = labelkeys_service.GetIamPolicy(get_iam_policy_req) condition = iam_util.ValidateAndExtractConditionMutexRole(args) iam_util.RemoveBindingFromIamPolicyWithCondition( policy, args.member, args.role, condition, args.all) set_iam_policy_request = labelmanager_messages.SetIamPolicyRequest( policy=policy) request = labelmanager_messages.LabelmanagerLabelKeysSetIamPolicyRequest( resource=label_key, setIamPolicyRequest=set_iam_policy_request) result = labelkeys_service.SetIamPolicy(request) iam_util.LogSetIamPolicy(label_key, 'LabelKey') return result
def RemoveIamPolicyBinding(models_client, model, member, role): model_ref = ParseModel(model) policy = models_client.GetIamPolicy(model_ref) iam_util.RemoveBindingFromIamPolicy(policy, member, role) ret = models_client.SetIamPolicy(model_ref, policy, 'bindings,etag') iam_util.LogSetIamPolicy(model_ref.Name(), 'model') return ret
def Run(self_, args): """Called when command is executed.""" # Use Policy message and set IAM request field name overrides for API's # with non-standard naming (if provided) policy_request_path = 'setIamPolicyRequest' if self.spec.iam: policy_request_path = ( self.spec.iam.set_iam_policy_request_path or policy_request_path) policy_field_path = policy_request_path + '.policy' policy = self._GetModifiedIamPolicyAddIamBinding( args, add_condition=self._add_condition) self.spec.request.static_fields[policy_field_path] = policy try: ref, response = self._CommonRun(args) except HttpBadRequestError as ex: log.err.Print( 'ERROR: Policy modification failed. For a binding with condition' ', run "gcloud alpha iam policies lint-condition" to identify ' 'issues in condition.') raise ex iam_util.LogSetIamPolicy(ref.Name(), self.display_resource_type) return self._HandleResponse(response, args)
def Run(self, args): condition = iam_util.ValidateAndExtractCondition(args) client = services.ServicesClient() service_ref = args.CONCEPTS.service.Parse() iam_util.LogSetIamPolicy(service_ref.Name(), _RESOURCE_TYPE) return client.AddIamPolicyBinding(service_ref, args.member, args.role, condition)
def Run(self, args): condition = iam_util.ValidateAndExtractCondition(args) client = namespaces.NamespacesClient() namespace_ref = args.CONCEPTS.namespace.Parse() iam_util.LogSetIamPolicy(namespace_ref.Name(), _RESOURCE_TYPE) return client.RemoveIamPolicyBinding(namespace_ref, args.member, args.role, condition)
def _SetIamPolicy(self, resource_ref, policy): request = self.messages.IapSetIamPolicyRequest( resource=resource_ref.RelativeName(), setIamPolicyRequest=self.messages.SetIamPolicyRequest( policy=policy)) response = self.service.SetIamPolicy(request) iam_util.LogSetIamPolicy(resource_ref.RelativeName(), self._Name()) return response
def Run(self_, args): policy_type = self.method.GetMessageByName('Policy') policy = iam_util.ParsePolicyFile(args.policy_file, policy_type) self.spec.request.static_fields[ 'setIamPolicyRequest.policy'] = policy ref, response = self._CommonRun(args) iam_util.LogSetIamPolicy(ref.Name(), self.resource_type) return self._HandleResponse(response)
def Run(self, args): client = services.ServicesClient() service_ref = args.CONCEPTS.service.Parse() policy = iam_util.ParsePolicyFile(args.policy_file, client.msgs.Policy) result = client.SetIamPolicy(service_ref, policy) iam_util.LogSetIamPolicy(service_ref.Name(), _RESOURCE_TYPE) return result
def Run(self, args): client = services.ServicesClient(self.GetReleaseTrack()) service_ref = args.CONCEPTS.service.Parse() result = client.AddIamPolicyBinding(service_ref, args.member, args.role) iam_util.LogSetIamPolicy(service_ref.Name(), _RESOURCE_TYPE) return result
def Run(self, args): client = namespaces.NamespacesClient(self.GetReleaseTrack()) namespace_ref = args.CONCEPTS.namespace.Parse() result = client.RemoveIamPolicyBinding(namespace_ref, args.member, args.role) iam_util.LogSetIamPolicy(namespace_ref.Name(), _RESOURCE_TYPE) return result
def _SetIamPolicy(self, resource_ref, policy): policy.version = iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION request = self.messages.IapSetIamPolicyRequest( resource=resource_ref.RelativeName(), setIamPolicyRequest=self.messages.SetIamPolicyRequest(policy=policy) ) response = self.service.SetIamPolicy(request) iam_util.LogSetIamPolicy(resource_ref.RelativeName(), self._Name()) return response
def Run(self, args): client = iam.Client() authority_ref = util.GetAuthorityRef(args.authority_name) policy, _ = iam_util.ParseYamlOrJsonPolicyFile( args.policy_file, client.messages.IamPolicy) result = client.Set(authority_ref, policy) iam_util.LogSetIamPolicy(authority_ref.Name(), 'authority') return result
def Run(self, args): messages = cloudkms_base.GetMessagesModule() policy, update_mask = iam_util.ParseYamlOrJsonPolicyFile(args.policy_file, messages.Policy) crypto_key_ref = flags.ParseCryptoKeyName(args) result = iam.SetCryptoKeyIamPolicy(crypto_key_ref, policy, update_mask) iam_util.LogSetIamPolicy(crypto_key_ref.Name(), 'key') return result
def Run(self, args): messages = cloudkms_base.GetMessagesModule() policy, update_mask = iam_util.ParseYamlOrJsonPolicyFile( args.policy_file, messages.Policy) keyring_ref = flags.ParseKeyRingName(args) result = iam.SetKeyRingIamPolicy(keyring_ref, policy, update_mask) iam_util.LogSetIamPolicy(keyring_ref.Name(), 'keyring') return result
def Run(self, args): client = iam.Client(apis.V1_BETA1) attestor_ref = util.GetAttestorRef(args.attestor_name) policy, _ = iam_util.ParseYamlOrJsonPolicyFile( args.policy_file, client.messages.IamPolicy) result = client.Set(attestor_ref, policy) iam_util.LogSetIamPolicy(attestor_ref.Name(), 'attestor') return result
def Run(self, args): client = iam.Client() policy_ref = util.GetPolicyRef() policy, _ = iam_util.ParseYamlOrJsonPolicyFile(args.policy_file, client.messages.IamPolicy) result = client.Set(policy_ref, policy) iam_util.LogSetIamPolicy(policy_ref.Name(), 'policy') return result
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) client = iam.Client(api_version) policy_ref = util.GetPolicyRef() policy, _ = iam_util.ParseYamlOrJsonPolicyFile( args.policy_file, client.messages.IamPolicy) result = client.Set(policy_ref, policy) iam_util.LogSetIamPolicy(policy_ref.Name(), 'policy') return result
def Run(self, args): client, messages = util.GetClientAndMessages() policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy) result = client.projects_serviceAccounts.SetIamPolicy( messages.IamProjectsServiceAccountsSetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.service_account), setIamPolicyRequest=messages.SetIamPolicyRequest( policy=policy))) iam_util.LogSetIamPolicy(args.service_account, 'service account') return result
def Run(self, args): policy = iam_util.ParsePolicyFile(args.policy_file, self.messages.Policy) result = self.iam_client.projects_serviceAccounts.SetIamPolicy( self.messages.IamProjectsServiceAccountsSetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.name), setIamPolicyRequest=self.messages.SetIamPolicyRequest( policy=policy))) iam_util.LogSetIamPolicy(args.name, 'service account') return result
def Run(self, args): client = registries.RegistriesClient() messages = client.messages policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy) registry_ref = args.CONCEPTS.registry.Parse() response = client.SetIamPolicy( registry_ref, set_iam_policy_request=messages.SetIamPolicyRequest(policy=policy)) iam_util.LogSetIamPolicy(registry_ref.Name(), 'registry') return response
def Run(self, args): """This is what gets called when the user runs this command. Args: args: an argparse namespace. All the arguments that were provided to this command invocation. Returns: Some value that we want to have printed later. """ database_ref = args.CONCEPTS.database.Parse() result = iam.SetDatabaseIamPolicy(database_ref, args.policy_file) iam_util.LogSetIamPolicy(database_ref.Name(), 'database') return result