class RemoveIamPolicyBinding(base.Command):
"""Remove IAM policy binding for a folder.
Removes a policy binding to the IAM policy of a folder, given a folder ID
and the binding.
"""
detailed_help = iam_util.GetDetailedHelpForRemoveIamPolicyBinding(
'folder', '3589215982')
@staticmethod
def Args(parser):
flags.FolderIdArg('to which you want to add a binding').AddToParser(
parser)
iam_util.AddArgsForRemoveIamPolicyBinding(
parser, completer=completers.FoldersIamRolesCompleter)
# Allow for retries due to ETag-based optimistic concurrency control
@http_retry.RetryOnHttpStatus(six.moves.http_client.CONFLICT)
def Run(self, args):
policy = folders.GetIamPolicy(args.id)
iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role)
return folders.SetIamPolicy(args.id, policy)
class RemoveIamPolicyBinding(base.Command):
"""Remove IAM policy binding for a dataset.
This command removes a policy binding to the IAM policy of a dataset,
given a dataset ID and the binding.
"""
detailed_help = iam_util.GetDetailedHelpForRemoveIamPolicyBinding(
'dataset', '1000')
@staticmethod
def Args(parser):
parser.add_argument('id', type=str, help='The ID of the dataset.')
iam_util.AddArgsForRemoveIamPolicyBinding(parser, 'id',
'genomics.datasets')
@genomics_util.ReraiseHttpException
def Run(self, args):
apitools_client = genomics_util.GetGenomicsClient()
messages = genomics_util.GetGenomicsMessages()
dataset_resource = resources.REGISTRY.Parse(
args.id, collection='genomics.datasets')
policy_request = messages.GenomicsDatasetsGetIamPolicyRequest(
resource='datasets/{0}'.format(dataset_resource.Name()),
getIamPolicyRequest=messages.GetIamPolicyRequest(),
)
policy = apitools_client.datasets.GetIamPolicy(policy_request)
iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role)
policy_request = messages.GenomicsDatasetsSetIamPolicyRequest(
resource='datasets/{0}'.format(dataset_resource.Name()),
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy),
)
return apitools_client.datasets.SetIamPolicy(policy_request)
class RemoveIamPolicyBinding(base.Command):
"""Removes IAM policy binding from an AI Platform Model resource.
Removes a policy binding from an AI Platform Model. One
binding consists of a member, a role and an optional condition.
See $ {parent_command} get-iam-policy for examples of how to
specify a model resource.
"""
description = 'remove IAM policy binding from an AI Platform model'
detailed_help = iam_util.GetDetailedHelpForRemoveIamPolicyBinding(
'model', 'my_model', role='roles/ml.admin', condition=False)
@staticmethod
def Args(parser):
"""Register flags for this command.
Args:
parser: An argparse.ArgumentParser-like object. It is mocked out in order
to capture some information, but behaves like an ArgumentParser.
"""
_GetRemoveIamPolicyBindingArgs(parser, add_condition=False)
def Run(self, args):
"""This is what gets called when the user runs this command.
Args:
args: an argparse namespace. All the arguments that were provided to this
command invocation.
Returns:
The specified function with its description and configured filter.
"""
with endpoint_util.MlEndpointOverrides(region=args.region):
client = models.ModelsClient()
return models_util.RemoveIamPolicyBinding(client, args.model,
args.member, args.role)
class RemoveIamPolicyBindingAlpha(orgs_base.OrganizationCommand):
"""Remove IAM policy binding for an organization.
Removes a policy binding to the IAM policy of an organization, given an
organization ID and the binding. One binding consists of a member, a role, and
an optional condition.
"""
detailed_help = iam_util.GetDetailedHelpForRemoveIamPolicyBinding(
'organization', 'example-organization-id-1', use_an=True, condition=True)
@staticmethod
def Args(parser):
flags.IdArg('whose IAM binding you want to remove.').AddToParser(parser)
iam_util.AddArgsForRemoveIamPolicyBinding(parser, add_condition=True)
@http_retry.RetryOnHttpStatus(six.moves.http_client.CONFLICT)
def Run(self, args):
condition = iam_util.ValidateAndExtractCondition(args)
messages = self.OrganizationsMessages()
get_policy_request = (
messages.CloudresourcemanagerOrganizationsGetIamPolicyRequest(
organizationsId=args.id,
getIamPolicyRequest=messages.GetIamPolicyRequest()))
policy = self.OrganizationsClient().GetIamPolicy(get_policy_request)
iam_util.RemoveBindingFromIamPolicyWithCondition(
policy, args.member, args.role, condition, args.all)
set_policy_request = (
messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest(
organizationsId=args.id,
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy)))
return self.OrganizationsClient().SetIamPolicy(set_policy_request)
class RemoveIamPolicyBinding(orgs_base.OrganizationCommand):
"""Remove IAM policy binding for an organization.
Removes a policy binding to the IAM policy of an organization, given an
organization ID
and the binding.
"""
detailed_help = iam_util.GetDetailedHelpForRemoveIamPolicyBinding(
'organization', 'example-organization-id-1')
@staticmethod
def Args(parser):
flags.IdArg('whose IAM binding you want to remove.').AddToParser(
parser)
iam_util.AddArgsForRemoveIamPolicyBinding(parser)
@http_retry.RetryOnHttpStatus(httplib.CONFLICT)
def Run(self, args):
messages = self.OrganizationsMessages()
get_policy_request = (
messages.CloudresourcemanagerOrganizationsGetIamPolicyRequest(
organizationsId=args.id,
getIamPolicyRequest=messages.GetIamPolicyRequest()))
policy = self.OrganizationsClient().GetIamPolicy(get_policy_request)
iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role)
set_policy_request = (
messages.CloudresourcemanagerOrganizationsSetIamPolicyRequest(
organizationsId=args.id,
setIamPolicyRequest=messages.SetIamPolicyRequest(
policy=policy)))
return self.OrganizationsClient().SetIamPolicy(set_policy_request)
class RemoveIamPolicyBinding(base.Command):
"""Remove an IAM policy binding from a Google Compute Engine disk.
*{command}* removes an IAM policy binding from a Google Compute Engine
disk's access policy.
"""
detailed_help = iam_util.GetDetailedHelpForRemoveIamPolicyBinding(
'disk', 'my-disk', role='roles/compute.securityAdmin')
@staticmethod
def Args(parser):
RemoveIamPolicyBinding.disk_arg = disks_flags.MakeDiskArg(plural=False)
RemoveIamPolicyBinding.disk_arg.AddArgument(
parser, operation_type='remove the IAM policy binding from')
iam_util.AddArgsForRemoveIamPolicyBinding(parser)
def Run(self, args):
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
client = holder.client
disk_ref = RemoveIamPolicyBinding.disk_arg.ResolveAsResource(
args, holder.resources)
get_request = client.messages.ComputeDisksGetIamPolicyRequest(
resource=disk_ref.disk,
zone=disk_ref.zone,
project=disk_ref.project)
policy = client.apitools_client.disks.GetIamPolicy(get_request)
iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role)
# TODO(b/78371568): Construct the ZoneSetPolicyRequest directly
# out of the parsed policy.
set_request = client.messages.ComputeDisksSetIamPolicyRequest(
resource=disk_ref.disk,
zone=disk_ref.zone,
zoneSetPolicyRequest=client.messages.ZoneSetPolicyRequest(
bindings=policy.bindings, etag=policy.etag),
project=disk_ref.project)
return client.apitools_client.disks.SetIamPolicy(set_request)
class RemoveIamPolicyBinding(base_classes.BaseIamCommand):
"""Remove an IAM policy binding from a service account.
This command removes a policy binding to the IAM policy of a service account,
given an IAM-ACCOUNT and the binding.
"""
detailed_help = iam_util.GetDetailedHelpForRemoveIamPolicyBinding(
'service account', '*****@*****.**')
@staticmethod
def Args(parser):
parser.add_argument('account',
metavar='IAM-ACCOUNT',
help='The service account whose policy to '
'remove the binding from.')
iam_util.AddArgsForRemoveIamPolicyBinding(parser)
@http_retry.RetryOnHttpStatus(httplib.CONFLICT)
def Run(self, args):
try:
policy = self.iam_client.projects_serviceAccounts.GetIamPolicy(
self.messages.IamProjectsServiceAccountsGetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(
args.account)))
iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role)
return self.iam_client.projects_serviceAccounts.SetIamPolicy(
self.messages.IamProjectsServiceAccountsSetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(args.account),
setIamPolicyRequest=self.messages.SetIamPolicyRequest(
policy=policy)))
except exceptions.HttpError as error:
raise iam_util.ConvertToServiceAccountException(
error, args.account)
