def add_service_account_to_bucket(client, bucket_name, service_account, role): """Add service account to the gcr.io images bucket.""" iam_policy = storage.get_bucket_iam_policy(client, bucket_name) if not iam_policy: return binding = storage.get_or_create_bucket_iam_binding(iam_policy, role) member = 'serviceAccount:' + service_account['email'] if member in binding['members']: # No changes required. return binding['members'].append(member) storage.set_bucket_iam_policy(client, bucket_name, iam_policy)
def _set_bucket_service_account(service_account, client, bucket_name, iam_policy): """Set service account for a bucket.""" # Add service account as objectAdmin. binding = storage.get_or_create_bucket_iam_binding(iam_policy, OBJECT_ADMIN_IAM_ROLE) members = ['serviceAccount:' + service_account['email']] if members == binding['members']: # No changes required. return iam_policy binding['members'] = members return storage.set_bucket_iam_policy(client, bucket_name, iam_policy)
def _add_users_to_bucket(info, client, bucket_name, iam_policy): """Add user account to bucket.""" ccs = sorted([ 'user:'******'members'] = sorted(list(set(binding['members']))) if binding['members'] == ccs: return iam_policy filtered_members = [ member for member in binding['members'] if member in ccs ] if len(filtered_members) != len(binding['members']): # Remove old members. binding['members'] = filtered_members iam_policy = storage.set_bucket_iam_policy(client, bucket_name, iam_policy) # We might have no binding either from start or after filtering members above. # Create a new one in those cases. binding = storage.get_or_create_bucket_iam_binding(iam_policy, OBJECT_VIEWER_IAM_ROLE) for cc in ccs: if cc in binding['members']: continue logs.log('Adding %s to bucket IAM for %s' % (cc, bucket_name)) # Add CCs one at a time since the API does not work with invalid or # non-Google emails. modified_iam_policy = storage.add_single_bucket_iam( client, iam_policy, OBJECT_VIEWER_IAM_ROLE, bucket_name, cc) if modified_iam_policy: iam_policy = modified_iam_policy binding = storage.get_bucket_iam_binding(iam_policy, OBJECT_VIEWER_IAM_ROLE) if not binding['members']: # Check that the final binding has members. Empty bindings are not valid. storage.remove_bucket_iam_binding(iam_policy, OBJECT_VIEWER_IAM_ROLE) return iam_policy
def create_data_bundle_bucket_and_iams(data_bundle_name, emails): """Creates a data bundle bucket and adds iams for access.""" bucket_name = get_data_bundle_bucket_name(data_bundle_name) if not storage.create_bucket_if_needed(bucket_name): return False client = storage.create_discovery_storage_client() iam_policy = storage.get_bucket_iam_policy(client, bucket_name) if not iam_policy: return False members = [] # Add access for the domains allowed in project. domains = local_config.AuthConfig().get('whitelisted_domains', default=[]) for domain in domains: members.append('domain:%s' % domain) # Add access for the emails provided in function arguments. for email in emails: members.append('user:%s' % email) if not members: # No members to add, bail out. return True binding = storage.get_bucket_iam_binding(iam_policy, DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE) if binding: binding['members'] = members else: binding = { 'role': DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE, 'members': members, } iam_policy['bindings'].append(binding) return bool(storage.set_bucket_iam_policy(client, bucket_name, iam_policy))