class GetIamPolicy(base_classes.BaseIamCommand, base.ListCommand):
"""Get the IAM policy for a service account.
This command gets the IAM policy for a service account. If formatted as
JSON, the output can be edited and used as a policy file for
set-iam-policy. The output includes an "etag" field identifying the version
emitted and allowing detection of concurrent policy updates; see
$ gcloud iam service-accounts set-iam-policy for additional details.
"""
detailed_help = {
'EXAMPLES': textwrap.dedent("""\
To print the IAM policy for a given service account, run:
$ {command} [email protected]
"""),
'DESCRIPTION': '\n\n'.join([
'{description}',
iam_util.GetHintForServiceAccountResource('get the iam policy of')])
}
@staticmethod
def Args(parser):
iam_util.AddServiceAccountNameArg(
parser,
action='whose policy to get')
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
return self.iam_client.projects_serviceAccounts.GetIamPolicy(
self.messages.IamProjectsServiceAccountsGetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(args.service_account)))
class RemoveIamPolicyBinding(base.Command):
"""Remove an IAM policy binding from a service account.
This command removes a policy binding to the IAM policy of a service account,
given an IAM_ACCOUNT and the binding.
"""
detailed_help = iam_util.GetDetailedHelpForRemoveIamPolicyBinding(
'service account', '*****@*****.**')
detailed_help['DESCRIPTION'] += '\n\n' + (
iam_util.GetHintForServiceAccountResource(
'remove a policy binding from'))
@staticmethod
def Args(parser):
iam_util.AddServiceAccountNameArg(
parser, action='to remove the policy binding from')
iam_util.AddArgsForRemoveIamPolicyBinding(parser)
@http_retry.RetryOnHttpStatus(six.moves.http_client.CONFLICT)
def Run(self, args):
client, messages = util.GetClientAndMessages()
policy = client.projects_serviceAccounts.GetIamPolicy(
messages.IamProjectsServiceAccountsGetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(
args.service_account)))
iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role)
return client.projects_serviceAccounts.SetIamPolicy(
messages.IamProjectsServiceAccountsSetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(
args.service_account),
setIamPolicyRequest=messages.SetIamPolicyRequest(
policy=policy)))
class AddIamPolicyBinding(base_classes.BaseIamCommand):
"""Add an IAM policy binding to a service account.
This command adds a policy binding to the IAM policy of a service account,
given an IAM_ACCOUNT and the binding.
"""
detailed_help = iam_util.GetDetailedHelpForAddIamPolicyBinding(
'service account',
'*****@*****.**')
detailed_help['DESCRIPTION'] += '\n\n' + (
iam_util.GetHintForServiceAccountResource('add iam policy bindings to'))
@staticmethod
def Args(parser):
iam_util.AddServiceAccountNameArg(
parser,
action='whose policy to add bindings to')
iam_util.AddArgsForAddIamPolicyBinding(parser)
@http_retry.RetryOnHttpStatus(httplib.CONFLICT)
def Run(self, args):
policy = self.iam_client.projects_serviceAccounts.GetIamPolicy(
self.messages.IamProjectsServiceAccountsGetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(args.service_account)))
iam_util.AddBindingToIamPolicy(self.messages.Binding, policy, args.member,
args.role)
return self.iam_client.projects_serviceAccounts.SetIamPolicy(
self.messages.IamProjectsServiceAccountsSetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(args.service_account),
setIamPolicyRequest=self.messages.SetIamPolicyRequest(
policy=policy)))
class SetIamPolicy(base.Command):
"""Set the IAM policy for a service account.
This command replaces the existing IAM policy for a service account, given
an IAM_ACCOUNT and a file encoded in JSON or YAML that contains the IAM
policy. If the given policy file specifies an "etag" value, then the
replacement will succeed only if the policy already in place matches that
etag. (An etag obtained via $ gcloud iam service-accounts get-iam-policy will
prevent the replacement if the policy for the service account has been
subsequently updated.) A policy file that does not contain an etag value will
replace any existing policy for the service account.
If the service account does not exist, this command returns a
`PERMISSION_DENIED` error.
"""
detailed_help = iam_util.GetDetailedHelpForSetIamPolicy(
'service account', '*****@*****.**')
detailed_help['DESCRIPTION'] += '\n\n' + (
iam_util.GetHintForServiceAccountResource(
'set the iam policy of'))
@staticmethod
def Args(parser):
iam_util.AddServiceAccountNameArg(
parser,
action='whose policy to set')
parser.add_argument(
'policy_file',
metavar='POLICY_FILE',
help='Path to a local JSON or YAML formatted file '
'containing a valid policy.')
def Run(self, args):
client, messages = util.GetClientAndMessages()
policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy)
policy.version = iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION
result = client.projects_serviceAccounts.SetIamPolicy(
messages.IamProjectsServiceAccountsSetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(args.service_account),
setIamPolicyRequest=messages.SetIamPolicyRequest(
policy=policy)))
iam_util.LogSetIamPolicy(args.service_account, 'service account')
return result
class GetIamPolicy(base.ListCommand):
"""Get the IAM policy for a service account.
This command gets the IAM policy for a service account. If formatted as
JSON, the output can be edited and used as a policy file for
set-iam-policy. The output includes an "etag" field identifying the version
emitted and allowing detection of concurrent policy updates; see
$ gcloud iam service-accounts set-iam-policy for additional details.
If the service account does not exist, this command returns a
`PERMISSION_DENIED` error.
"""
detailed_help = {
'EXAMPLES':
textwrap.dedent("""
To print the IAM policy for a given service account, run:
$ {command} [email protected]
"""),
'DESCRIPTION':
'\n\n'.join([
'{description}',
iam_util.GetHintForServiceAccountResource('get the iam policy of')
])
}
@staticmethod
def Args(parser):
iam_util.AddServiceAccountNameArg(parser, action='whose policy to get')
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
return client.projects_serviceAccounts.GetIamPolicy(
messages.IamProjectsServiceAccountsGetIamPolicyRequest(
resource=iam_util.EmailToAccountResourceName(
args.service_account),
options_requestedPolicyVersion=iam_util.
MAX_LIBRARY_IAM_SUPPORTED_VERSION))
