def Run(self, args): iam_client = apis.GetClientInstance('iam', 'v1') messages = apis.GetMessagesModule('iam', 'v1') parent_name = iam_util.GetParentName(args.organization, args.project) if args.file: if args.title or args.description or args.stage or args.permissions: raise exceptions.ConflictingArgumentsException('file', 'others') role = iam_util.ParseYamlToRole(args.file, messages.Role) role.name = None role.etag = None else: role = messages.Role(title=args.title, description=args.description) if args.permissions: role.includedPermissions = args.permissions.split(',') if args.stage: role.stage = iam_util.StageTypeFromString(args.stage) if not role.title: role.title = args.role if not args.quiet: testing_permissions = util.GetTestingPermissions( iam_client, messages, iam_util.GetResourceReference(args.project, args.organization), role.includedPermissions) iam_util.TestingPermissionsWarning(testing_permissions) result = iam_client.organizations_roles.Create( messages.IamOrganizationsRolesCreateRequest( createRoleRequest=messages.CreateRoleRequest( role=role, roleId=args.role), parent=parent_name)) log.CreatedResource(args.role, kind='role') iam_util.SetRoleStageIfAlpha(result) return result
def Run(self, args): iam_client = apis.GetClientInstance('iam', 'v1') messages = apis.GetMessagesModule('iam', 'v1') if args.source is None: raise RequiredArgumentException('source', 'the source role is required.') if args.destination is None: raise RequiredArgumentException( 'destination', 'the destination role is required.') source_role_name = iam_util.GetRoleName( args.source_organization, args.source_project, args.source, attribute='the source custom role', parameter_name='source') dest_parent = iam_util.GetParentName( args.dest_organization, args.dest_project, attribute='the destination custom role') source_role = iam_client.organizations_roles.Get( messages.IamOrganizationsRolesGetRequest(name=source_role_name)) new_role = messages.Role(title=source_role.title, description=source_role.description) permissions_helper = util.PermissionsHelper( iam_client, messages, iam_util.GetResourceReference(args.dest_project, args.dest_organization), source_role.includedPermissions) not_supported_permissions = permissions_helper.GetNotSupportedPermissions( ) if not_supported_permissions: log.warning( 'Permissions don\'t support custom roles and won\'t be added: [' + ', '.join(not_supported_permissions) + '] \n') not_applicable_permissions = permissions_helper.GetNotApplicablePermissions( ) if not_applicable_permissions: log.warning( 'Permissions not applicable to the current resource and won\'t' ' be added: [' + ', '.join(not_applicable_permissions) + '] \n') api_diabled_permissions = permissions_helper.GetApiDisabledPermissons() iam_util.ApiDisabledPermissionsWarning(api_diabled_permissions) testing_permissions = permissions_helper.GetTestingPermissions() iam_util.TestingPermissionsWarning(testing_permissions) valid_permissions = permissions_helper.GetValidPermissions() new_role.includedPermissions = valid_permissions result = iam_client.organizations_roles.Create( messages.IamOrganizationsRolesCreateRequest( createRoleRequest=messages.CreateRoleRequest( role=new_role, roleId=args.destination), parent=dest_parent)) iam_util.SetRoleStageIfAlpha(result) return result
def Run(self, args): client, messages = util.GetClientAndMessages() if not args.organization: raise gcloud_exceptions.RequiredArgumentException( '--organization', 'Should specify the organization for workforce pools.') parent_name = iam_util.GetParentName(args.organization, None, 'workforce pool') workforce_pool_ref = args.CONCEPTS.workforce_pool.Parse() new_workforce_pool = messages.WorkforcePool( parent=parent_name, displayName=args.display_name, description=args.description, disabled=args.disabled, sessionDuration=args.session_duration) lro_ref = client.locations_workforcePools.Create( messages.IamLocationsWorkforcePoolsCreateRequest( location=flags.ParseLocation(args), workforcePoolId=workforce_pool_ref.workforcePoolsId, workforcePool=new_workforce_pool)) log.status.Print('Create request issued for: [{}]'.format( workforce_pool_ref.workforcePoolsId)) if args.async_: log.status.Print('Check operation [{}] for status.'.format( lro_ref.name)) return lro_ref lro_resource = resources.REGISTRY.ParseRelativeName( lro_ref.name, collection='iam.locations.workforcePools.operations') poller = workforce_pool_waiter.WorkforcePoolOperationPoller( client.locations_workforcePools, client.locations_workforcePools_operations) # Wait for a maximum of 5 minutes, as the IAM replication has a lag of up to # 80 seconds. GetOperation has a dependency on IAMInternal.CheckPolicy, and # requires the caller to have `workforcePools.get` permission on the created # resource to return as `done`. See b/203589135. result = waiter.WaitFor( poller, lro_resource, 'Waiting for operations [{}] to complete'.format(lro_ref.name), max_wait_ms=300000) log.status.Print('Created workforce pool [{}].'.format( workforce_pool_ref.workforcePoolsId)) return result
def Run(self, args): iam_client = apis.GetClientInstance('iam', 'v1') messages = apis.GetMessagesModule('iam', 'v1') if args.source is None: raise RequiredArgumentException('source', 'the source role is required.') if args.destination is None: raise RequiredArgumentException( 'destination', 'the destination role is required.') source_role_name = iam_util.GetRoleName( args.source_organization, args.source_project, args.source, attribute='the source custom role', parameter_name='source') dest_parent = iam_util.GetParentName( args.dest_organization, args.dest_project, attribute='the destination custom role') source_role = iam_client.organizations_roles.Get( messages.IamOrganizationsRolesGetRequest(name=source_role_name)) new_role = messages.Role(title=source_role.title, description=source_role.description) valid_permissions, testing_permissions = util.GetValidAndTestingPermissions( iam_client, messages, iam_util.GetResourceReference(args.dest_project, args.dest_organization), source_role.includedPermissions) iam_util.TestingPermissionsWarning(testing_permissions) new_role.includedPermissions = valid_permissions result = iam_client.organizations_roles.Create( messages.IamOrganizationsRolesCreateRequest( createRoleRequest=messages.CreateRoleRequest( role=new_role, roleId=args.destination), parent=dest_parent)) iam_util.SetRoleStageIfAlpha(result) return result
def Run(self, args): client, messages = util.GetClientAndMessages() if args.project is None and args.organization is None: return list_pager.YieldFromList( client.roles, messages.IamRolesListRequest(showDeleted=args.show_deleted), field='roles', limit=args.limit, batch_size_attribute='pageSize') parent_name = iam_util.GetParentName(args.organization, args.project) if args.limit is not None and (args.limit < 1): raise exceptions.ToolException('Limit size must be >=1') return list_pager.YieldFromList( client.organizations_roles, messages.IamOrganizationsRolesListRequest( parent=parent_name, showDeleted=args.show_deleted), field='roles', limit=args.limit, batch_size_attribute='pageSize')
def Run(self, args): if args.limit is not None and (args.limit < 1): raise gcloud_exceptions.InvalidArgumentException('Limit size must be >=1') client, messages = util.GetClientAndMessages() if not args.organization: raise gcloud_exceptions.RequiredArgumentException( '--organization', 'Should specify the organization for workforce pools.') parent_name = iam_util.GetParentName(args.organization, None, 'workforce pools') return list_pager.YieldFromList( client.locations_workforcePools, messages.IamLocationsWorkforcePoolsListRequest( parent=parent_name, showDeleted=args.show_deleted, location=flags.ParseLocation(args)), field='workforcePools', limit=args.limit, batch_size=args.page_size, batch_size_attribute='pageSize')
def Run(self, args): client, messages = util.GetClientAndMessages() parent_name = iam_util.GetParentName(args.organization, args.project) if args.file: role = iam_util.ParseYamlToRole(args.file, messages.Role) role.name = None role.etag = None else: role = messages.Role(title=args.title, description=args.description) if args.permissions: role.includedPermissions = args.permissions.split(',') if args.stage: role.stage = iam_util.StageTypeFromString(args.stage) if not role.title: role.title = args.role if not args.quiet: permissions_helper = util.PermissionsHelper( client, messages, iam_util.GetResourceReference(args.project, args.organization), role.includedPermissions) api_diabled_permissions = permissions_helper.GetApiDisabledPermissons( ) iam_util.ApiDisabledPermissionsWarning(api_diabled_permissions) testing_permissions = permissions_helper.GetTestingPermissions() iam_util.TestingPermissionsWarning(testing_permissions) result = client.organizations_roles.Create( messages.IamOrganizationsRolesCreateRequest( createRoleRequest=messages.CreateRoleRequest(role=role, roleId=args.role), parent=parent_name)) log.CreatedResource(args.role, kind='role') iam_util.SetRoleStageIfAlpha(result) return result
def Run(self, args): iam_client = apis.GetClientInstance('iam', 'v1') messages = apis.GetMessagesModule('iam', 'v1') if args.source is None: raise RequiredArgumentException('source', 'the source role is required.') if args.destination is None: raise RequiredArgumentException( 'destination', 'the destination role is required.') source_role_name = iam_util.GetRoleName( args.source_organization, args.source_project, args.source, attribute='the source custom role', parameter_name='source') dest_parent = iam_util.GetParentName( args.dest_organization, args.dest_project, attribute='the destination custom role') source_role = iam_client.organizations_roles.Get( messages.IamOrganizationsRolesGetRequest(name=source_role_name)) new_role = messages.Role( title=source_role.title, description=source_role.description, includedPermissions=source_role.includedPermissions) if source_role.includedPermissions: full_resource_name = '//cloudresourcemanager.googleapis.com/' if args.dest_project: full_resource_name += 'projects/{0}'.format(args.dest_project) else: full_resource_name += 'organizations/{0}'.format( args.dest_organization) valid_permissions = [] token = None source_permissions = set(source_role.includedPermissions) while len( source_role.includedPermissions) != len(valid_permissions): resp = iam_client.permissions.QueryTestablePermissions( messages.QueryTestablePermissionsRequest( fullResourceName=full_resource_name, pageToken=token)) for testable_permission in resp.permissions: if (testable_permission.name in source_permissions and (testable_permission.customRolesSupportLevel != messages.Permission. CustomRolesSupportLevelValueValuesEnum.NOT_SUPPORTED) ): valid_permissions.append(testable_permission.name) token = resp.nextPageToken if not token: break new_role.includedPermissions = valid_permissions result = iam_client.organizations_roles.Create( messages.IamOrganizationsRolesCreateRequest( createRoleRequest=messages.CreateRoleRequest( role=new_role, roleId=args.destination), parent=dest_parent)) iam_util.SetRoleStageIfAlpha(result) return result