Example #1
0
def AddIamPolicyBindingServiceAccount(service_account_name, role, member):
    """Add an IAM policy binding to a service account.

  Args:
    service_account_name: The google service account to add the iam policy
      binding to.
    role: The role the member is granted.
    member: The gsa/ksa allowed to act as the defined service account.

  Returns:
    Policy: The updated policy.
  """
    iam_client, iam_messages = iam_api_util.GetClientAndMessages()
    policy = iam_client.projects_serviceAccounts.GetIamPolicy(
        iam_messages.IamProjectsServiceAccountsGetIamPolicyRequest(
            resource=iam_util.EmailToAccountResourceName(
                service_account_name)))

    iam_util.AddBindingToIamPolicy(iam_messages.Binding, policy, member, role)

    return iam_client.projects_serviceAccounts.SetIamPolicy(
        iam_messages.IamProjectsServiceAccountsSetIamPolicyRequest(
            resource=iam_util.EmailToAccountResourceName(service_account_name),
            setIamPolicyRequest=iam_messages.SetIamPolicyRequest(
                policy=policy)))
  def Run(self, args):
    policy = self.iam_client.projects_serviceAccounts.GetIamPolicy(
        self.messages.IamProjectsServiceAccountsGetIamPolicyRequest(
            resource=iam_util.EmailToAccountResourceName(args.service_account)))

    iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role)

    return self.iam_client.projects_serviceAccounts.SetIamPolicy(
        self.messages.IamProjectsServiceAccountsSetIamPolicyRequest(
            resource=iam_util.EmailToAccountResourceName(args.service_account),
            setIamPolicyRequest=self.messages.SetIamPolicyRequest(
                policy=policy)))
  def Run(self, args):
    try:
      policy = self.iam_client.projects_serviceAccounts.GetIamPolicy(
          self.messages.IamProjectsServiceAccountsGetIamPolicyRequest(
              resource=iam_util.EmailToAccountResourceName(args.name)))

      iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role)

      return self.iam_client.projects_serviceAccounts.SetIamPolicy(
          self.messages.IamProjectsServiceAccountsSetIamPolicyRequest(
              resource=iam_util.EmailToAccountResourceName(args.name),
              setIamPolicyRequest=self.messages.SetIamPolicyRequest(
                  policy=policy)))
    except exceptions.HttpError as error:
      raise iam_util.ConvertToServiceAccountException(error, args.name)
    def Run(self, args):
        client, messages = util.GetClientAndMessages()
        policy = client.projects_serviceAccounts.GetIamPolicy(
            messages.IamProjectsServiceAccountsGetIamPolicyRequest(
                resource=iam_util.EmailToAccountResourceName(
                    args.service_account)))

        iam_util.AddBindingToIamPolicy(messages.Binding, policy, args.member,
                                       args.role)

        return client.projects_serviceAccounts.SetIamPolicy(
            messages.IamProjectsServiceAccountsSetIamPolicyRequest(
                resource=iam_util.EmailToAccountResourceName(
                    args.service_account),
                setIamPolicyRequest=messages.SetIamPolicyRequest(
                    policy=policy)))
Example #5
0
 def Run(self, args):
   try:
     return self.iam_client.projects_serviceAccounts.GetIamPolicy(
         self.messages.IamProjectsServiceAccountsGetIamPolicyRequest(
             resource=iam_util.EmailToAccountResourceName(args.name)))
   except exceptions.HttpError as error:
     raise iam_util.ConvertToServiceAccountException(error, args.name)
 def Run(self, args):
     # TODO(b/25212870): use resource parsing.
     client, messages = util.GetClientAndMessages()
     return client.projects_serviceAccounts.Get(
         messages.IamProjectsServiceAccountsGetRequest(
             name=iam_util.EmailToAccountResourceName(
                 args.service_account)))
 def Run(self, args):
     client, messages = util.GetClientAndMessages()
     return client.projects_serviceAccounts.GetIamPolicy(
         messages.IamProjectsServiceAccountsGetIamPolicyRequest(
             resource=iam_util.EmailToAccountResourceName(
                 args.service_account),
             options_requestedPolicyVersion=iam_util.
             MAX_LIBRARY_IAM_SUPPORTED_VERSION))
Example #8
0
 def Run(self, args):
     try:
         # TODO(b/25212870): use resource parsing.
         return self.iam_client.projects_serviceAccounts.Get(
             self.messages.IamProjectsServiceAccountsGetRequest(
                 name=iam_util.EmailToAccountResourceName(args.name)))
     except exceptions.HttpError as error:
         raise iam_util.ConvertToServiceAccountException(error, args.name)
Example #9
0
    def Run(self, args):
        policy = iam_util.ParsePolicyFile(args.policy_file,
                                          self.messages.Policy)

        return self.iam_client.projects_serviceAccounts.SetIamPolicy(
            self.messages.IamProjectsServiceAccountsSetIamPolicyRequest(
                resource=iam_util.EmailToAccountResourceName(args.name),
                setIamPolicyRequest=self.messages.SetIamPolicyRequest(
                    policy=policy)))
Example #10
0
    def Run(self, args):
        console_io.PromptContinue(message='You are about to delete service '
                                  'account [{0}].'.format(args.name),
                                  cancel_on_no=True)
        self.iam_client.projects_serviceAccounts.Delete(
            self.messages.IamProjectsServiceAccountsDeleteRequest(
                name=iam_util.EmailToAccountResourceName(args.name)))

        log.status.Print('deleted service account [{0}]'.format(args.name))
Example #11
0
    def Run(self, args):
        resource_name = iam_util.EmailToAccountResourceName(
            args.service_account)
        client, messages = util.GetClientAndMessages()

        result = client.projects_serviceAccounts.Update(
            messages.ServiceAccount(name=resource_name,
                                    displayName=args.display_name))
        log.UpdatedResource(args.service_account, kind='serviceAccount')
        return result
Example #12
0
  def Run(self, args):
    response = self.iam_client.projects_serviceAccounts.SignJwt(
        self.messages.IamProjectsServiceAccountsSignJwtRequest(
            name=iam_util.EmailToAccountResourceName(args.iam_account),
            signJwtRequest=self.messages.SignJwtRequest(payload=self.ReadFile(
                args.input))))

    self.WriteFile(args.output, response.signedJwt)
    log.status.Print(
        'signed jwt [{0}] as [{1}] for [{2}] using key [{3}]'.format(
            args.input, args.output, args.iam_account, response.keyId))
  def Run(self, args):
    client, messages = util.GetClientAndMessages()
    policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)

    result = client.projects_serviceAccounts.SetIamPolicy(
        messages.IamProjectsServiceAccountsSetIamPolicyRequest(
            resource=iam_util.EmailToAccountResourceName(args.service_account),
            setIamPolicyRequest=messages.SetIamPolicyRequest(
                policy=policy)))
    iam_util.LogSetIamPolicy(args.service_account, 'service account')
    return result
Example #14
0
    def Run(self, args):
        resource_name = iam_util.EmailToAccountResourceName(args.name)
        current = self.iam_client.projects_serviceAccounts.Get(
            self.messages.IamProjectsServiceAccountsGetRequest(
                name=resource_name))

        result = self.iam_client.projects_serviceAccounts.Update(
            self.messages.ServiceAccount(name=resource_name,
                                         etag=current.etag,
                                         displayName=args.display_name))
        log.UpdatedResource(args.name, kind='service account')
        return result
  def Run(self, args):
    client, messages = util.GetClientAndMessages()
    response = client.projects_serviceAccounts.SignBlob(
        messages.IamProjectsServiceAccountsSignBlobRequest(
            name=iam_util.EmailToAccountResourceName(args.iam_account),
            signBlobRequest=messages.SignBlobRequest(
                bytesToSign=files.ReadBinaryFileContents(args.input))))

    log.WriteToFileOrStdout(
        args.output, content=response.signature, binary=True)
    log.status.Print(
        'signed blob [{0}] as [{1}] for [{2}] using key [{3}]'.format(
            args.input, args.output, args.iam_account, response.keyId))
Example #16
0
    def Run(self, args):
        try:
            policy = iam_util.ParseJsonPolicyFile(args.policy_file,
                                                  self.messages.Policy)

            return self.iam_client.projects_serviceAccounts.SetIamPolicy(
                self.messages.IamProjectsServiceAccountsSetIamPolicyRequest(
                    resource=iam_util.EmailToAccountResourceName(args.account),
                    setIamPolicyRequest=self.messages.SetIamPolicyRequest(
                        policy=policy)))
        except exceptions.HttpError as error:
            raise iam_util.ConvertToServiceAccountException(
                error, args.account)
  def Run(self, args):
    client, messages = util.GetClientAndMessages()
    response = client.projects_serviceAccounts.SignJwt(
        messages.IamProjectsServiceAccountsSignJwtRequest(
            name=iam_util.EmailToAccountResourceName(args.iam_account),
            signJwtRequest=messages.SignJwtRequest(
                payload=files.ReadFileContents(args.input,))))

    log.WriteToFileOrStdout(
        args.output, content=response.signedJwt, binary=False, private=True)
    log.status.Print(
        'signed jwt [{0}] as [{1}] for [{2}] using key [{3}]'.format(
            args.input, args.output, args.iam_account, response.keyId))
Example #18
0
  def Run(self, args):
    result = self.iam_client.projects_serviceAccounts_keys.List(
        self.messages.IamProjectsServiceAccountsKeysListRequest(
            name=iam_util.EmailToAccountResourceName(args.iam_account),
            keyTypes=iam_util.ManagedByFromString(args.managed_by)))

    keys = result.keys
    if args.created_before:
      ts = args.created_before
      keys = [
          key for key in keys if times.ParseDateTime(key.validAfterTime) < ts
      ]

    return keys
Example #19
0
    def Run(self, args):
        try:
            resource_name = iam_util.EmailToAccountResourceName(args.name)
            current = self.iam_client.projects_serviceAccounts.Get(
                self.messages.IamProjectsServiceAccountsGetRequest(
                    name=resource_name))

            result = self.iam_client.projects_serviceAccounts.Update(
                self.messages.ServiceAccount(name=resource_name,
                                             etag=current.etag,
                                             displayName=args.display_name))
            log.UpdatedResource(args.name, kind='service account')
            return result
        except exceptions.HttpError as error:
            raise iam_util.ConvertToServiceAccountException(error, args.name)
Example #20
0
    def Run(self, args):
        try:
            console_io.PromptContinue(
                message='You are about to delete service '
                'account [{0}].'.format(args.account),
                cancel_on_no=True)
            self.iam_client.projects_serviceAccounts.Delete(
                self.messages.IamProjectsServiceAccountsDeleteRequest(
                    name=iam_util.EmailToAccountResourceName(args.account)))

            log.status.Print('deleted service account [{0}]'.format(
                args.account))
        except exceptions.HttpError as error:
            raise iam_util.ConvertToServiceAccountException(
                error, args.account)
Example #21
0
def _CreateRequest(args, messages):
    """_CreateRequest creates CreateServiceAccountIdentityBindingRequests."""
    req = messages.CreateServiceAccountIdentityBindingRequest(
        acceptanceFilter=args.acceptance_filter,
        cel=_EncodeAttributeTranslatorCEL(args.attribute_translator_cel,
                                          messages),
        oidc=messages.IDPReferenceOIDC(
            audience=args.oidc_audience,
            maxTokenLifetimeSeconds=args.oidc_max_token_lifetime,
            url=args.oidc_issuer_url,
        ),
    )

    return messages.IamProjectsServiceAccountsIdentityBindingsCreateRequest(
        createServiceAccountIdentityBindingRequest=req,
        name=iam_util.EmailToAccountResourceName(args.service_account))
Example #22
0
  def Run(self, args):
    result = self.iam_client.projects_serviceAccounts_keys.Create(
        self.messages.IamProjectsServiceAccountsKeysCreateRequest(
            name=iam_util.EmailToAccountResourceName(args.iam_account),
            createServiceAccountKeyRequest=
            self.messages.CreateServiceAccountKeyRequest(
                privateKeyType=iam_util.KeyTypeToCreateKeyType(
                    iam_util.KeyTypeFromString(args.key_file_type)))))

    # Only the creating user has access. Set file permission to "-rw-------".
    self.WriteFile(args.output, result.privateKeyData, make_private=True)
    log.status.Print(
        'created key [{0}] of type [{1}] as [{2}] for [{3}]'.format(
            iam_util.GetKeyIdFromResourceName(result.name),
            iam_util.KeyTypeToString(result.privateKeyType),
            args.output,
            args.iam_account))
Example #23
0
    def SignBlob(self, service_account, bytes_to_sign):
        """Signs a string with the private key of the provided service account.

    Args:
      service_account: The string email of a service account that has
        permissions to sign a blob.
      bytes_to_sign: The byte-string to sign.

    Returns:
      A byte-string signature of the provided blob, signed by the provided
      service account.
    """
        messages = self._iam_client.MESSAGES_MODULE

        response = self._iam_client.projects_serviceAccounts.SignBlob(
            messages.IamProjectsServiceAccountsSignBlobRequest(
                name=iam_util.EmailToAccountResourceName(service_account),
                signBlobRequest=messages.SignBlobRequest(
                    bytesToSign=bytes_to_sign)))

        return response.signature
 def Run(self, args):
     try:
         policy = iam_util.ParseJsonPolicyFile(args.policy_file,
                                               self.messages.Policy)
         if not policy.etag:
             msg = (
                 'The specified policy does not contain an "etag" field '
                 'identifying a specific version to replace. Changing a '
                 'policy without an "etag" can overwrite concurrent policy '
                 'changes.')
             console_io.PromptContinue(
                 message=msg,
                 prompt_string='Replace existing policy',
                 cancel_on_no=True)
         return self.iam_client.projects_serviceAccounts.SetIamPolicy(
             self.messages.IamProjectsServiceAccountsSetIamPolicyRequest(
                 resource=iam_util.EmailToAccountResourceName(args.account),
                 setIamPolicyRequest=self.messages.SetIamPolicyRequest(
                     policy=policy)))
     except exceptions.HttpError as error:
         raise iam_util.ConvertToServiceAccountException(
             error, args.account)
Example #25
0
 def Run(self, args):
   # TODO(b/25212870): use resource parsing.
   return self.iam_client.projects_serviceAccounts.Get(
       self.messages.IamProjectsServiceAccountsGetRequest(
           name=iam_util.EmailToAccountResourceName(args.name)))
Example #26
0
 def Run(self, args):
   client, messages = util.GetClientAndMessages()
   req = messages.IamProjectsServiceAccountsIdentityBindingsListRequest(
       name=iam_util.EmailToAccountResourceName(args.service_account))
   return client.projects_serviceAccounts_identityBindings.List(req)
 def Run(self, args):
     client, messages = util.GetClientAndMessages()
     return client.projects_serviceAccounts.GetIamPolicy(
         messages.IamProjectsServiceAccountsGetIamPolicyRequest(
             resource=iam_util.EmailToAccountResourceName(
                 args.service_account)))
def GetServiceAccount(service_account):
    """Gets the service account given its email."""
    client, messages = iam_api.GetClientAndMessages()
    return client.projects_serviceAccounts.Get(
        messages.IamProjectsServiceAccountsGetRequest(
            name=iam_util.EmailToAccountResourceName(service_account)))
Example #29
0
 def Run(self, args):
   return self.iam_client.projects_serviceAccounts.GetIamPolicy(
       self.messages.IamProjectsServiceAccountsGetIamPolicyRequest(
           resource=iam_util.EmailToAccountResourceName(args.service_account)))