def Run(self, args):
client = namespaces.NamespacesClient()
namespace_ref = args.CONCEPTS.namespace.Parse()
policy = iam_util.ParsePolicyFile(args.policy_file, client.msgs.Policy)
iam_util.LogSetIamPolicy(namespace_ref.Name(), _RESOURCE_TYPE)
return client.SetIamPolicy(namespace_ref, policy)
def Run(self, args):
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
client = holder.client
policy = iam_util.ParsePolicyFile(args.policy_file, client.messages.Policy)
subnetwork_ref = SetIamPolicy.SUBNETWORK_ARG.ResolveAsResource(
args,
holder.resources,
scope_lister=compute_flags.GetDefaultScopeLister(client))
# SetIamPolicy always returns either an error or the newly set policy.
# If the policy was just set to the empty policy it returns a valid empty
# policy (just an etag.)
# It is not possible to have multiple policies for one resource.
result = client.MakeRequests(
[(client.apitools_client.subnetworks, 'SetIamPolicy',
client.messages.ComputeSubnetworksSetIamPolicyRequest(
regionSetPolicyRequest=client.messages.RegionSetPolicyRequest(
policy=policy),
project=subnetwork_ref.project,
region=subnetwork_ref.region,
resource=subnetwork_ref.subnetwork))])[0]
iam_util.LogSetIamPolicy(subnetwork_ref.RelativeName(), 'subnetwork')
return result
def Run(self, args):
service = tags.TagValuesService()
messages = tags.TagMessages()
if args.RESOURCE_NAME.find('tagValues/') == 0:
tag_value = args.RESOURCE_NAME
else:
tag_value = tag_utils.GetTagValueFromNamespacedName(
args.RESOURCE_NAME).name
get_iam_policy_req = (
messages.CloudresourcemanagerTagValuesGetIamPolicyRequest(
resource=tag_value))
policy = service.GetIamPolicy(get_iam_policy_req)
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
iam_util.AddBindingToIamPolicyWithCondition(messages.Binding,
messages.Expr, policy,
args.member, args.role,
condition)
set_iam_policy_request = messages.SetIamPolicyRequest(policy=policy)
request = messages.CloudresourcemanagerTagValuesSetIamPolicyRequest(
resource=tag_value, setIamPolicyRequest=set_iam_policy_request)
result = service.SetIamPolicy(request)
iam_util.LogSetIamPolicy(tag_value, 'TagValue')
return result
def SetIamPolicy(self, organization_id, policy_file):
"""Sets the IAM policy for an organization.
Args:
organization_id: organization id.
policy_file: A JSON or YAML file containing the IAM policy.
Returns:
The output from the SetIamPolicy API call.
"""
policy = iam_util.ParsePolicyFile(policy_file, self.messages.Policy)
policy.version = iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION
update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file)
# To preserve the existing set-iam-policy behavior of always overwriting
# bindings and etag, add bindings and etag to update_mask.
if 'bindings' not in update_mask:
update_mask += ',bindings'
if 'etag' not in update_mask:
update_mask += ',etag'
set_iam_policy_request = self.messages.SetIamPolicyRequest(
policy=policy,
updateMask=update_mask)
policy_request = (
self.messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest(
organizationsId=organization_id,
setIamPolicyRequest=set_iam_policy_request))
result = self.client.organizations.SetIamPolicy(policy_request)
iam_util.LogSetIamPolicy(organization_id, 'organization')
return result
def Run(self, args):
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
client = holder.client
policy = iam_util.ParsePolicyFile(args.policy_file,
client.messages.Policy)
instance_ref = flags.INSTANCE_ARG.ResolveAsResource(
args,
holder.resources,
scope_lister=compute_flags.GetDefaultScopeLister(client))
# TODO(b/78371568): Construct the ZoneSetPolicyRequest directly
# out of the parsed policy instead of setting 'bindings' and 'etags'.
# This current form is required so gcloud won't break while Compute
# roll outs the breaking change to SetIamPolicy (b/75971480)
# SetIamPolicy always returns either an error or the newly set policy.
# If the policy was just set to the empty policy it returns a valid empty
# policy (just an etag.)
# It is not possible to have multiple policies for one resource.
result = client.MakeRequests([
(client.apitools_client.instances, 'SetIamPolicy',
client.messages.ComputeInstancesSetIamPolicyRequest(
zoneSetPolicyRequest=client.messages.ZoneSetPolicyRequest(
bindings=policy.bindings, etag=policy.etag),
project=instance_ref.project,
resource=instance_ref.instance,
zone=instance_ref.zone))
])[0]
iam_util.LogSetIamPolicy(instance_ref.RelativeName(), 'instance')
return result
def Run(self, args):
client = namespaces.NamespacesClient()
namespace_ref = args.CONCEPTS.namespace.Parse()
iam_util.LogSetIamPolicy(namespace_ref.Name(), _RESOURCE_TYPE)
return client.AddIamPolicyBinding(namespace_ref, args.member,
args.role)
def Run(self, args):
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
client = holder.client
policy = iam_util.ParsePolicyFile(args.policy_file,
client.messages.Policy)
instance_ref = flags.INSTANCE_ARG.ResolveAsResource(
args,
holder.resources,
scope_lister=compute_flags.GetDefaultScopeLister(client))
# SetIamPolicy always returns either an error or the newly set policy.
# If the policy was just set to the empty policy it returns a valid empty
# policy (just an etag.)
# It is not possible to have multiple policies for one resource.
result = client.MakeRequests([
(client.apitools_client.instances, 'SetIamPolicy',
client.messages.ComputeInstancesSetIamPolicyRequest(
zoneSetPolicyRequest=client.messages.ZoneSetPolicyRequest(
policy=policy),
project=instance_ref.project,
resource=instance_ref.instance,
zone=instance_ref.zone))
])[0]
iam_util.LogSetIamPolicy(instance_ref.RelativeName(), 'instance')
return result
def Run(self_, args):
"""Called when command is executed."""
# Default Policy message and set IAM request message field names
policy_type_name = 'Policy'
policy_request_path = 'setIamPolicyRequest'
# Use Policy message and set IAM request field name overrides for API's
# with non-standard naming (if provided)
if self.spec.iam:
policy_type_name = (
self.spec.iam.message_type_overrides['policy']
or policy_type_name)
policy_request_path = (
self.spec.iam.set_iam_policy_request_path
or policy_request_path)
policy_field_path = policy_request_path + '.policy'
policy_type = self.method.GetMessageByName(policy_type_name)
if not policy_type:
raise ValueError(
'Policy type [{}] not found.'.format(policy_type_name))
policy, update_mask = iam_util.ParsePolicyFileWithUpdateMask(
args.policy_file, policy_type)
self.spec.request.static_fields[policy_field_path] = policy
self._SetPolicyUpdateMask(update_mask)
ref, response = self._CommonRun(args)
iam_util.LogSetIamPolicy(ref.Name(), self.resource_type)
return self._HandleResponse(response, args)
def SetIamPolicy(models_client, model, policy_file):
model_ref = ParseModel(model)
policy = iam_util.ParsePolicyFile(policy_file,
models_client.messages.GoogleIamV1Policy)
update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file)
iam_util.LogSetIamPolicy(model_ref.Name(), 'model')
return models_client.SetIamPolicy(model_ref, policy, update_mask)
def Run(self, args):
labelkeys_service = labelmanager.LabelKeysService()
labelmanager_messages = labelmanager.LabelManagerMessages()
if args.IsSpecified('label_parent'):
label_key = utils.GetLabelKeyFromDisplayName(
args.LABEL_KEY_ID, args.label_parent)
else:
label_key = args.LABEL_KEY_ID
get_iam_policy_req = (
labelmanager_messages.LabelmanagerLabelKeysGetIamPolicyRequest(
resource=label_key))
policy = labelkeys_service.GetIamPolicy(get_iam_policy_req)
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
iam_util.RemoveBindingFromIamPolicyWithCondition(
policy, args.member, args.role, condition, args.all)
set_iam_policy_request = labelmanager_messages.SetIamPolicyRequest(
policy=policy)
request = labelmanager_messages.LabelmanagerLabelKeysSetIamPolicyRequest(
resource=label_key, setIamPolicyRequest=set_iam_policy_request)
result = labelkeys_service.SetIamPolicy(request)
iam_util.LogSetIamPolicy(label_key, 'LabelKey')
return result
def RemoveIamPolicyBinding(models_client, model, member, role):
model_ref = ParseModel(model)
policy = models_client.GetIamPolicy(model_ref)
iam_util.RemoveBindingFromIamPolicy(policy, member, role)
ret = models_client.SetIamPolicy(model_ref, policy, 'bindings,etag')
iam_util.LogSetIamPolicy(model_ref.Name(), 'model')
return ret
def Run(self_, args):
"""Called when command is executed."""
# Use Policy message and set IAM request field name overrides for API's
# with non-standard naming (if provided)
policy_request_path = 'setIamPolicyRequest'
if self.spec.iam:
policy_request_path = (
self.spec.iam.set_iam_policy_request_path
or policy_request_path)
policy_field_path = policy_request_path + '.policy'
policy = self._GetModifiedIamPolicyAddIamBinding(
args, add_condition=self._add_condition)
self.spec.request.static_fields[policy_field_path] = policy
try:
ref, response = self._CommonRun(args)
except HttpBadRequestError as ex:
log.err.Print(
'ERROR: Policy modification failed. For a binding with condition'
', run "gcloud alpha iam policies lint-condition" to identify '
'issues in condition.')
raise ex
iam_util.LogSetIamPolicy(ref.Name(),
self.display_resource_type)
return self._HandleResponse(response, args)
def Run(self, args):
condition = iam_util.ValidateAndExtractCondition(args)
client = services.ServicesClient()
service_ref = args.CONCEPTS.service.Parse()
iam_util.LogSetIamPolicy(service_ref.Name(), _RESOURCE_TYPE)
return client.AddIamPolicyBinding(service_ref, args.member, args.role,
condition)
def Run(self, args):
condition = iam_util.ValidateAndExtractCondition(args)
client = namespaces.NamespacesClient()
namespace_ref = args.CONCEPTS.namespace.Parse()
iam_util.LogSetIamPolicy(namespace_ref.Name(), _RESOURCE_TYPE)
return client.RemoveIamPolicyBinding(namespace_ref, args.member,
args.role, condition)
def _SetIamPolicy(self, resource_ref, policy):
request = self.messages.IapSetIamPolicyRequest(
resource=resource_ref.RelativeName(),
setIamPolicyRequest=self.messages.SetIamPolicyRequest(
policy=policy))
response = self.service.SetIamPolicy(request)
iam_util.LogSetIamPolicy(resource_ref.RelativeName(), self._Name())
return response
def Run(self_, args):
policy_type = self.method.GetMessageByName('Policy')
policy = iam_util.ParsePolicyFile(args.policy_file,
policy_type)
self.spec.request.static_fields[
'setIamPolicyRequest.policy'] = policy
ref, response = self._CommonRun(args)
iam_util.LogSetIamPolicy(ref.Name(), self.resource_type)
return self._HandleResponse(response)
def Run(self, args):
client = services.ServicesClient()
service_ref = args.CONCEPTS.service.Parse()
policy = iam_util.ParsePolicyFile(args.policy_file, client.msgs.Policy)
result = client.SetIamPolicy(service_ref, policy)
iam_util.LogSetIamPolicy(service_ref.Name(), _RESOURCE_TYPE)
return result
def Run(self, args):
client = services.ServicesClient(self.GetReleaseTrack())
service_ref = args.CONCEPTS.service.Parse()
result = client.AddIamPolicyBinding(service_ref, args.member,
args.role)
iam_util.LogSetIamPolicy(service_ref.Name(), _RESOURCE_TYPE)
return result
def Run(self, args):
client = namespaces.NamespacesClient(self.GetReleaseTrack())
namespace_ref = args.CONCEPTS.namespace.Parse()
result = client.RemoveIamPolicyBinding(namespace_ref, args.member,
args.role)
iam_util.LogSetIamPolicy(namespace_ref.Name(), _RESOURCE_TYPE)
return result
def _SetIamPolicy(self, resource_ref, policy):
policy.version = iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION
request = self.messages.IapSetIamPolicyRequest(
resource=resource_ref.RelativeName(),
setIamPolicyRequest=self.messages.SetIamPolicyRequest(policy=policy)
)
response = self.service.SetIamPolicy(request)
iam_util.LogSetIamPolicy(resource_ref.RelativeName(), self._Name())
return response
def Run(self, args):
client = iam.Client()
authority_ref = util.GetAuthorityRef(args.authority_name)
policy, _ = iam_util.ParseYamlOrJsonPolicyFile(
args.policy_file, client.messages.IamPolicy)
result = client.Set(authority_ref, policy)
iam_util.LogSetIamPolicy(authority_ref.Name(), 'authority')
return result
def Run(self, args):
messages = cloudkms_base.GetMessagesModule()
policy, update_mask = iam_util.ParseYamlOrJsonPolicyFile(args.policy_file,
messages.Policy)
crypto_key_ref = flags.ParseCryptoKeyName(args)
result = iam.SetCryptoKeyIamPolicy(crypto_key_ref, policy, update_mask)
iam_util.LogSetIamPolicy(crypto_key_ref.Name(), 'key')
return result
def Run(self, args):
messages = cloudkms_base.GetMessagesModule()
policy, update_mask = iam_util.ParseYamlOrJsonPolicyFile(
args.policy_file, messages.Policy)
keyring_ref = flags.ParseKeyRingName(args)
result = iam.SetKeyRingIamPolicy(keyring_ref, policy, update_mask)
iam_util.LogSetIamPolicy(keyring_ref.Name(), 'keyring')
return result
def Run(self, args):
client = iam.Client(apis.V1_BETA1)
attestor_ref = util.GetAttestorRef(args.attestor_name)
policy, _ = iam_util.ParseYamlOrJsonPolicyFile(
args.policy_file, client.messages.IamPolicy)
result = client.Set(attestor_ref, policy)
iam_util.LogSetIamPolicy(attestor_ref.Name(), 'attestor')
return result
def Run(self, args):
client = iam.Client()
policy_ref = util.GetPolicyRef()
policy, _ = iam_util.ParseYamlOrJsonPolicyFile(args.policy_file,
client.messages.IamPolicy)
result = client.Set(policy_ref, policy)
iam_util.LogSetIamPolicy(policy_ref.Name(), 'policy')
return result
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
client = iam.Client(api_version)
policy_ref = util.GetPolicyRef()
policy, _ = iam_util.ParseYamlOrJsonPolicyFile(
args.policy_file, client.messages.IamPolicy)
result = client.Set(policy_ref, policy)
iam_util.LogSetIamPolicy(policy_ref.Name(), 'policy')
return result
def Run(self, args):
client, messages = util.GetClientAndMessages()
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
result = client.projects_serviceAccounts.SetIamPolicy(
messages.IamProjectsServiceAccountsSetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(args.service_account),
setIamPolicyRequest=messages.SetIamPolicyRequest(
policy=policy)))
iam_util.LogSetIamPolicy(args.service_account, 'service account')
return result
def Run(self, args):
policy = iam_util.ParsePolicyFile(args.policy_file,
self.messages.Policy)
result = self.iam_client.projects_serviceAccounts.SetIamPolicy(
self.messages.IamProjectsServiceAccountsSetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(args.name),
setIamPolicyRequest=self.messages.SetIamPolicyRequest(
policy=policy)))
iam_util.LogSetIamPolicy(args.name, 'service account')
return result
def Run(self, args):
client = registries.RegistriesClient()
messages = client.messages
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
registry_ref = args.CONCEPTS.registry.Parse()
response = client.SetIamPolicy(
registry_ref,
set_iam_policy_request=messages.SetIamPolicyRequest(policy=policy))
iam_util.LogSetIamPolicy(registry_ref.Name(), 'registry')
return response
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
Some value that we want to have printed later.
"""
database_ref = args.CONCEPTS.database.Parse()
result = iam.SetDatabaseIamPolicy(database_ref, args.policy_file)
iam_util.LogSetIamPolicy(database_ref.Name(), 'database')
return result
