def SetIamPolicy(self, organization_id, policy_file):
"""Sets the IAM policy for an organization.
Args:
organization_id: organization id.
policy_file: A JSON or YAML file containing the IAM policy.
Returns:
The output from the SetIamPolicy API call.
"""
policy = iam_util.ParsePolicyFile(policy_file, self.messages.Policy)
policy.version = iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION
update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file)
# To preserve the existing set-iam-policy behavior of always overwriting
# bindings and etag, add bindings and etag to update_mask.
if 'bindings' not in update_mask:
update_mask += ',bindings'
if 'etag' not in update_mask:
update_mask += ',etag'
set_iam_policy_request = self.messages.SetIamPolicyRequest(
policy=policy,
updateMask=update_mask)
policy_request = (
self.messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest(
organizationsId=organization_id,
setIamPolicyRequest=set_iam_policy_request))
result = self.client.organizations.SetIamPolicy(policy_request)
iam_util.LogSetIamPolicy(organization_id, 'organization')
return result
def Run(self, args):
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
client = holder.client
policy = iam_util.ParsePolicyFile(args.policy_file,
client.messages.Policy)
subnetwork_ref = SetIamPolicy.SUBNETWORK_ARG.ResolveAsResource(
args,
holder.resources,
scope_lister=compute_flags.GetDefaultScopeLister(client))
# TODO(b/78371568): Construct the RegionSetPolicyRequest directly
# out of the parsed policy instead of setting 'bindings' and 'etags'.
# This current form is required so gcloud won't break while Compute
# roll outs the breaking change to SetIamPolicy (b/75971480)
# SetIamPolicy always returns either an error or the newly set policy.
# If the policy was just set to the empty policy it returns a valid empty
# policy (just an etag.)
# It is not possible to have multiple policies for one resource.
result = client.MakeRequests([
(client.apitools_client.subnetworks, 'SetIamPolicy',
client.messages.ComputeSubnetworksSetIamPolicyRequest(
regionSetPolicyRequest=client.messages.RegionSetPolicyRequest(
bindings=policy.bindings, etag=policy.etag),
project=subnetwork_ref.project,
region=subnetwork_ref.region,
resource=subnetwork_ref.subnetwork))
])[0]
iam_util.LogSetIamPolicy(subnetwork_ref.RelativeName(), 'subnetwork')
return result
def Run(self, args):
client = namespaces.NamespacesClient()
namespace_ref = args.CONCEPTS.namespace.Parse()
policy = iam_util.ParsePolicyFile(args.policy_file, client.msgs.Policy)
iam_util.LogSetIamPolicy(namespace_ref.Name(), _RESOURCE_TYPE)
return client.SetIamPolicy(namespace_ref, policy)
def Run(self, args):
policy = iam_util.ParsePolicyFile(args.policy_file,
self.messages.Policy)
ref = self.CreateReference(args)
request_class = self.service.GetRequestType(self.method)
request = request_class(project=self.project)
self.ScopeRequest(ref, request)
self.SetResourceName(ref, request)
request.policy = policy
set_policy_request = (self.service, self.method, request)
errors = []
objects = request_helper.MakeRequests(requests=[set_policy_request],
http=self.http,
batch_url=self.batch_url,
errors=errors)
# Converting the objects genrator to a list triggers the
# logic that actually populates the errors list.
resources = list(objects)
if errors:
utils.RaiseToolException(errors,
error_message='Could not fetch resource:')
# TODO(user): determine how this output should look when empty.
# SetIamPolicy always returns either an error or the newly set policy.
# If the policy was just set to the empty policy it returns a valid empty
# policy (just an etag.)
# It is not possible to have multiple policies for one resource.
return resources[0]
def SetIamPolicy(models_client, model, policy_file):
model_ref = ParseModel(model)
policy = iam_util.ParsePolicyFile(policy_file,
models_client.messages.GoogleIamV1Policy)
update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file)
iam_util.LogSetIamPolicy(model_ref.Name(), 'model')
return models_client.SetIamPolicy(model_ref, policy, update_mask)
def Run(self, args):
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
client = holder.client
policy = iam_util.ParsePolicyFile(args.policy_file, client.messages.Policy)
subnetwork_ref = SetIamPolicy.SUBNETWORK_ARG.ResolveAsResource(
args,
holder.resources,
scope_lister=compute_flags.GetDefaultScopeLister(client))
# SetIamPolicy always returns either an error or the newly set policy.
# If the policy was just set to the empty policy it returns a valid empty
# policy (just an etag.)
# It is not possible to have multiple policies for one resource.
result = client.MakeRequests(
[(client.apitools_client.subnetworks, 'SetIamPolicy',
client.messages.ComputeSubnetworksSetIamPolicyRequest(
regionSetPolicyRequest=client.messages.RegionSetPolicyRequest(
policy=policy),
project=subnetwork_ref.project,
region=subnetwork_ref.region,
resource=subnetwork_ref.subnetwork))])[0]
iam_util.LogSetIamPolicy(subnetwork_ref.RelativeName(), 'subnetwork')
return result
def Run(self, args):
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
client = holder.client
policy = iam_util.ParsePolicyFile(args.policy_file,
client.messages.Policy)
instance_ref = flags.INSTANCE_ARG.ResolveAsResource(
args,
holder.resources,
scope_lister=compute_flags.GetDefaultScopeLister(client))
# TODO(b/36053578): determine how this output should look when empty.
# SetIamPolicy always returns either an error or the newly set policy.
# If the policy was just set to the empty policy it returns a valid empty
# policy (just an etag.)
# It is not possible to have multiple policies for one resource.
return client.MakeRequests([
(client.apitools_client.instances, 'SetIamPolicy',
client.messages.ComputeInstancesSetIamPolicyRequest(
policy=policy,
project=instance_ref.project,
resource=instance_ref.instance,
zone=instance_ref.zone))
])[0]
def Run(self, args):
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
client = holder.client
policy = iam_util.ParsePolicyFile(args.policy_file,
client.messages.Policy)
instance_ref = flags.INSTANCE_ARG.ResolveAsResource(
args,
holder.resources,
scope_lister=compute_flags.GetDefaultScopeLister(client))
# TODO(b/78371568): Construct the ZoneSetPolicyRequest directly
# out of the parsed policy instead of setting 'bindings' and 'etags'.
# This current form is required so gcloud won't break while Compute
# roll outs the breaking change to SetIamPolicy (b/75971480)
# TODO(b/36053578): determine how this output should look when empty.
# SetIamPolicy always returns either an error or the newly set policy.
# If the policy was just set to the empty policy it returns a valid empty
# policy (just an etag.)
# It is not possible to have multiple policies for one resource.
return client.MakeRequests([
(client.apitools_client.instances, 'SetIamPolicy',
client.messages.ComputeInstancesSetIamPolicyRequest(
zoneSetPolicyRequest=client.messages.ZoneSetPolicyRequest(
bindings=policy.bindings, etag=policy.etag),
project=instance_ref.project,
resource=instance_ref.instance,
zone=instance_ref.zone))
])[0]
def testParseIamPolicyMissingEtag(self):
policy_file = self._CreateIAMPolicyFile()
expected_policy = self._GetTestIAMPolicy()
self.WriteInput('Y\n')
policy = iam_util.ParsePolicyFile(policy_file, self.messages.Policy)
self.assertEqual(policy, expected_policy)
def SetIamPolicyFromFile(project_ref, policy_file):
"""Read projects IAM policy from a file, and set it."""
messages = projects_util.GetMessages()
policy = iam_util.ParsePolicyFile(policy_file, messages.Policy)
try:
return SetIamPolicy(project_ref, policy)
except exceptions.HttpError as error:
raise projects_util.ConvertHttpError(error)
def Run(self, args):
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
client = holder.client
disk_ref = SetIamPolicy.disk_arg.ResolveAsResource(args, holder.resources)
policy = iam_util.ParsePolicyFile(args.policy_file, client.messages.Policy)
request = client.messages.ComputeDisksSetIamPolicyRequest(
policy=policy, resource=disk_ref.disk, zone=disk_ref.zone,
project=disk_ref.project)
return client.apitools_client.disks.SetIamPolicy(request)
def Run(self, args):
policy = iam_util.ParsePolicyFile(args.policy_file,
self.messages.Policy)
return self.iam_client.projects_serviceAccounts.SetIamPolicy(
self.messages.IamProjectsServiceAccountsSetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(args.name),
setIamPolicyRequest=self.messages.SetIamPolicyRequest(
policy=policy)))
def Run(self, args):
client = services.ServicesClient()
service_ref = args.CONCEPTS.service.Parse()
policy = iam_util.ParsePolicyFile(args.policy_file, client.msgs.Policy)
result = client.SetIamPolicy(service_ref, policy)
iam_util.LogSetIamPolicy(service_ref.Name(), _RESOURCE_TYPE)
return result
def Run(self_, args):
policy_type = self.method.GetMessageByName('Policy')
policy = iam_util.ParsePolicyFile(args.policy_file,
policy_type)
self.spec.request.static_fields[
'setIamPolicyRequest.policy'] = policy
ref, response = self._CommonRun(args)
iam_util.LogSetIamPolicy(ref.Name(), self.resource_type)
return self._HandleResponse(response)
def Run(self, args):
messages = self.OrganizationsMessages()
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
policy_request = (
messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest(
organizationsId=args.id,
setIamPolicyRequest=messages.SetIamPolicyRequest(
policy=policy)))
return self.OrganizationsClient().SetIamPolicy(policy_request)
def Run(self, args):
queues_client = queues.Queues()
queues_messages = queues_client.api.messages
queue_ref = parsers.ParseQueue(args.queue)
self.context['iam-messages'] = queues_messages
policy = iam_util.ParsePolicyFile(args.policy_file, queues_messages.Policy)
response = queues_client.SetIamPolicy(queue_ref, policy)
log.status.Print('Set IAM policy for queue [{}].'.format(queue_ref.Name()))
return response
def testParseIamPolicyInvalidYaml(self):
bad_file = self.Touch(self.dir.path,
name='bad_yaml.json',
contents='NOT YAML OR JSON')
with self.assertRaisesRegex(
gcloud_exceptions.BadFileException,
r'Policy file \[.*\] is not a '
'properly formatted YAML or JSON '
'policy file.'):
iam_util.ParsePolicyFile(bad_file, self.messages.Policy)
def Run(self, args):
client = registries.RegistriesClient()
messages = apis.GetMessagesModule('cloudiot', 'v1beta1')
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
registry_ref = util.ParseRegistry(args.id, region=args.region)
return client.SetIamPolicy(
registry_ref,
set_iam_policy_request=messages.SetIamPolicyRequest(policy=policy))
def Run(self, args):
client, messages = util.GetClientAndMessages()
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
result = client.projects_serviceAccounts.SetIamPolicy(
messages.IamProjectsServiceAccountsSetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(args.service_account),
setIamPolicyRequest=messages.SetIamPolicyRequest(
policy=policy)))
iam_util.LogSetIamPolicy(args.service_account, 'service account')
return result
def Run(self, args):
client = subscriptions.SubscriptionsClient()
messages = client.messages
subscription_ref = args.CONCEPTS.subscription.Parse()
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
response = client.SetIamPolicy(subscription_ref, policy=policy)
log.status.Print('Updated IAM policy for subscription [{}].'.format(
subscription_ref.Name()))
return response
def Run(self, args):
client = topics.TopicsClient()
messages = client.messages
topic_ref = args.CONCEPTS.topic.Parse()
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
response = client.SetIamPolicy(topic_ref, policy=policy)
log.status.Print('Updated IAM policy for topic [{}].'.format(
topic_ref.Name()))
return response
def Run(self, args):
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
client = holder.client
image_ref = SetIamPolicy.disk_image_arg.ResolveAsResource(
args,
holder.resources,
scope_lister=compute_flags.GetDefaultScopeLister(client))
policy = iam_util.ParsePolicyFile(args.policy_file,
client.messages.Policy)
request = client.messages.ComputeImagesSetIamPolicyRequest(
policy=policy, resource=image_ref.image, project=image_ref.project)
return client.apitools_client.images.SetIamPolicy(request)
def Run(self, args):
client = registries.RegistriesClient()
messages = client.messages
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
registry_ref = args.CONCEPTS.registry.Parse()
response = client.SetIamPolicy(
registry_ref,
set_iam_policy_request=messages.SetIamPolicyRequest(policy=policy))
iam_util.LogSetIamPolicy(registry_ref.Name(), 'registry')
return response
def Run(self, args):
client = registries.RegistriesClient()
messages = client.messages
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
registry_ref = args.CONCEPTS.registry.Parse()
response = client.SetIamPolicy(
registry_ref,
set_iam_policy_request=messages.SetIamPolicyRequest(policy=policy))
log.status.Print(
'Set IAM policy for registry [{}].'.format(registry_ref.Name()))
return response
def Run(self, args):
dataproc = dp.Dataproc(self.ReleaseTrack())
messages = dataproc.messages
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
set_iam_policy_request = messages.SetIamPolicyRequest(policy=policy)
cluster_ref = util.ParseCluster(args.cluster, dataproc)
request = messages.DataprocProjectsRegionsClustersSetIamPolicyRequest(
resource=cluster_ref.RelativeName(),
setIamPolicyRequest=set_iam_policy_request)
return dataproc.client.projects_regions_clusters.SetIamPolicy(request)
def Run(self, args):
dataproc = dp.Dataproc(self.ReleaseTrack())
msgs = dataproc.messages
policy = iam_util.ParsePolicyFile(args.policy_file, msgs.Policy)
set_iam_policy_request = msgs.SetIamPolicyRequest(policy=policy)
job = util.ParseJob(args.job, dataproc)
request = msgs.DataprocProjectsRegionsJobsSetIamPolicyRequest(
resource=job.RelativeName(),
setIamPolicyRequest=set_iam_policy_request)
return dataproc.client.projects_regions_jobs.SetIamPolicy(request)
def Run(self, args):
dataproc = dp.Dataproc(self.ReleaseTrack())
msgs = dataproc.messages
policy = iam_util.ParsePolicyFile(args.policy_file, msgs.Policy)
set_iam_policy_request = msgs.SetIamPolicyRequest(policy=policy)
template = util.ParseWorkflowTemplates(args.template, dataproc)
request = msgs.DataprocProjectsRegionsWorkflowTemplatesSetIamPolicyRequest(
resource=template.RelativeName(),
setIamPolicyRequest=set_iam_policy_request)
return dataproc.client.projects_regions_workflowTemplates.SetIamPolicy(
request)
def Run(self, args):
apitools_client = genomics_util.GetGenomicsClient()
messages = genomics_util.GetGenomicsMessages()
dataset_resource = resources.REGISTRY.Parse(
args.id, collection='genomics.datasets')
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
policy_request = messages.GenomicsDatasetsSetIamPolicyRequest(
resource='datasets/{0}'.format(dataset_resource.Name()),
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy),
)
return apitools_client.datasets.SetIamPolicy(policy_request)
def Run(self, args):
dataproc = dp.Dataproc(self.ReleaseTrack())
msgs = dataproc.messages
policy = iam_util.ParsePolicyFile(args.policy_file, msgs.Policy)
set_iam_policy_request = msgs.SetIamPolicyRequest(policy=policy)
operation_ref = args.CONCEPTS.operation.Parse()
request = msgs.DataprocProjectsRegionsOperationsSetIamPolicyRequest(
resource=operation_ref.RelativeName(),
setIamPolicyRequest=set_iam_policy_request)
return dataproc.client.projects_regions_operations.SetIamPolicy(
request)
def SetIamPolicyFromFile(project_ref, policy_file):
"""Read projects IAM policy from a file, and set it."""
messages = projects_util.GetMessages()
policy = iam_util.ParsePolicyFile(policy_file, messages.Policy)
update_mask = iam_util.ConstructUpdateMaskFromPolicy(policy_file)
# To preserve the existing set-iam-policy behavior of always overwriting
# bindings and etag, add bindings and etag to update_mask.
if 'bindings' not in update_mask:
update_mask += ',bindings'
if 'etag' not in update_mask:
update_mask += ',etag'
return SetIamPolicy(project_ref, policy, update_mask)
