def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
parent_name = iam_util.GetParentName(args.organization, args.project)
if args.file:
if args.title or args.description or args.stage or args.permissions:
raise exceptions.ConflictingArgumentsException('file', 'others')
role = iam_util.ParseYamlToRole(args.file, messages.Role)
role.name = None
role.etag = None
else:
role = messages.Role(title=args.title, description=args.description)
if args.permissions:
role.includedPermissions = args.permissions.split(',')
if args.stage:
role.stage = iam_util.StageTypeFromString(args.stage)
if not role.title:
role.title = args.role
if not args.quiet:
testing_permissions = util.GetTestingPermissions(
iam_client, messages,
iam_util.GetResourceReference(args.project, args.organization),
role.includedPermissions)
iam_util.TestingPermissionsWarning(testing_permissions)
result = iam_client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(
role=role, roleId=args.role),
parent=parent_name))
log.CreatedResource(args.role, kind='role')
iam_util.SetRoleStageIfAlpha(result)
return result
def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
if args.source is None:
raise RequiredArgumentException('source',
'the source role is required.')
if args.destination is None:
raise RequiredArgumentException(
'destination', 'the destination role is required.')
source_role_name = iam_util.GetRoleName(
args.source_organization,
args.source_project,
args.source,
attribute='the source custom role',
parameter_name='source')
dest_parent = iam_util.GetParentName(
args.dest_organization,
args.dest_project,
attribute='the destination custom role')
source_role = iam_client.organizations_roles.Get(
messages.IamOrganizationsRolesGetRequest(name=source_role_name))
new_role = messages.Role(title=source_role.title,
description=source_role.description)
permissions_helper = util.PermissionsHelper(
iam_client, messages,
iam_util.GetResourceReference(args.dest_project,
args.dest_organization),
source_role.includedPermissions)
not_supported_permissions = permissions_helper.GetNotSupportedPermissions(
)
if not_supported_permissions:
log.warning(
'Permissions don\'t support custom roles and won\'t be added: ['
+ ', '.join(not_supported_permissions) + '] \n')
not_applicable_permissions = permissions_helper.GetNotApplicablePermissions(
)
if not_applicable_permissions:
log.warning(
'Permissions not applicable to the current resource and won\'t'
' be added: [' + ', '.join(not_applicable_permissions) +
'] \n')
api_diabled_permissions = permissions_helper.GetApiDisabledPermissons()
iam_util.ApiDisabledPermissionsWarning(api_diabled_permissions)
testing_permissions = permissions_helper.GetTestingPermissions()
iam_util.TestingPermissionsWarning(testing_permissions)
valid_permissions = permissions_helper.GetValidPermissions()
new_role.includedPermissions = valid_permissions
result = iam_client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(
role=new_role, roleId=args.destination),
parent=dest_parent))
iam_util.SetRoleStageIfAlpha(result)
return result
def Run(self, args):
client, messages = util.GetClientAndMessages()
if not args.organization:
raise gcloud_exceptions.RequiredArgumentException(
'--organization',
'Should specify the organization for workforce pools.')
parent_name = iam_util.GetParentName(args.organization, None,
'workforce pool')
workforce_pool_ref = args.CONCEPTS.workforce_pool.Parse()
new_workforce_pool = messages.WorkforcePool(
parent=parent_name,
displayName=args.display_name,
description=args.description,
disabled=args.disabled,
sessionDuration=args.session_duration)
lro_ref = client.locations_workforcePools.Create(
messages.IamLocationsWorkforcePoolsCreateRequest(
location=flags.ParseLocation(args),
workforcePoolId=workforce_pool_ref.workforcePoolsId,
workforcePool=new_workforce_pool))
log.status.Print('Create request issued for: [{}]'.format(
workforce_pool_ref.workforcePoolsId))
if args.async_:
log.status.Print('Check operation [{}] for status.'.format(
lro_ref.name))
return lro_ref
lro_resource = resources.REGISTRY.ParseRelativeName(
lro_ref.name, collection='iam.locations.workforcePools.operations')
poller = workforce_pool_waiter.WorkforcePoolOperationPoller(
client.locations_workforcePools,
client.locations_workforcePools_operations)
# Wait for a maximum of 5 minutes, as the IAM replication has a lag of up to
# 80 seconds. GetOperation has a dependency on IAMInternal.CheckPolicy, and
# requires the caller to have `workforcePools.get` permission on the created
# resource to return as `done`. See b/203589135.
result = waiter.WaitFor(
poller,
lro_resource,
'Waiting for operations [{}] to complete'.format(lro_ref.name),
max_wait_ms=300000)
log.status.Print('Created workforce pool [{}].'.format(
workforce_pool_ref.workforcePoolsId))
return result
def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
if args.source is None:
raise RequiredArgumentException('source',
'the source role is required.')
if args.destination is None:
raise RequiredArgumentException(
'destination', 'the destination role is required.')
source_role_name = iam_util.GetRoleName(
args.source_organization,
args.source_project,
args.source,
attribute='the source custom role',
parameter_name='source')
dest_parent = iam_util.GetParentName(
args.dest_organization,
args.dest_project,
attribute='the destination custom role')
source_role = iam_client.organizations_roles.Get(
messages.IamOrganizationsRolesGetRequest(name=source_role_name))
new_role = messages.Role(title=source_role.title,
description=source_role.description)
valid_permissions, testing_permissions = util.GetValidAndTestingPermissions(
iam_client, messages,
iam_util.GetResourceReference(args.dest_project,
args.dest_organization),
source_role.includedPermissions)
iam_util.TestingPermissionsWarning(testing_permissions)
new_role.includedPermissions = valid_permissions
result = iam_client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(
role=new_role, roleId=args.destination),
parent=dest_parent))
iam_util.SetRoleStageIfAlpha(result)
return result
def Run(self, args):
client, messages = util.GetClientAndMessages()
if args.project is None and args.organization is None:
return list_pager.YieldFromList(
client.roles,
messages.IamRolesListRequest(showDeleted=args.show_deleted),
field='roles',
limit=args.limit,
batch_size_attribute='pageSize')
parent_name = iam_util.GetParentName(args.organization, args.project)
if args.limit is not None and (args.limit < 1):
raise exceptions.ToolException('Limit size must be >=1')
return list_pager.YieldFromList(
client.organizations_roles,
messages.IamOrganizationsRolesListRequest(
parent=parent_name, showDeleted=args.show_deleted),
field='roles',
limit=args.limit,
batch_size_attribute='pageSize')
def Run(self, args):
if args.limit is not None and (args.limit < 1):
raise gcloud_exceptions.InvalidArgumentException('Limit size must be >=1')
client, messages = util.GetClientAndMessages()
if not args.organization:
raise gcloud_exceptions.RequiredArgumentException(
'--organization',
'Should specify the organization for workforce pools.')
parent_name = iam_util.GetParentName(args.organization, None,
'workforce pools')
return list_pager.YieldFromList(
client.locations_workforcePools,
messages.IamLocationsWorkforcePoolsListRequest(
parent=parent_name,
showDeleted=args.show_deleted,
location=flags.ParseLocation(args)),
field='workforcePools',
limit=args.limit,
batch_size=args.page_size,
batch_size_attribute='pageSize')
def Run(self, args):
client, messages = util.GetClientAndMessages()
parent_name = iam_util.GetParentName(args.organization, args.project)
if args.file:
role = iam_util.ParseYamlToRole(args.file, messages.Role)
role.name = None
role.etag = None
else:
role = messages.Role(title=args.title,
description=args.description)
if args.permissions:
role.includedPermissions = args.permissions.split(',')
if args.stage:
role.stage = iam_util.StageTypeFromString(args.stage)
if not role.title:
role.title = args.role
if not args.quiet:
permissions_helper = util.PermissionsHelper(
client, messages,
iam_util.GetResourceReference(args.project, args.organization),
role.includedPermissions)
api_diabled_permissions = permissions_helper.GetApiDisabledPermissons(
)
iam_util.ApiDisabledPermissionsWarning(api_diabled_permissions)
testing_permissions = permissions_helper.GetTestingPermissions()
iam_util.TestingPermissionsWarning(testing_permissions)
result = client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(role=role,
roleId=args.role),
parent=parent_name))
log.CreatedResource(args.role, kind='role')
iam_util.SetRoleStageIfAlpha(result)
return result
def Run(self, args):
iam_client = apis.GetClientInstance('iam', 'v1')
messages = apis.GetMessagesModule('iam', 'v1')
if args.source is None:
raise RequiredArgumentException('source',
'the source role is required.')
if args.destination is None:
raise RequiredArgumentException(
'destination', 'the destination role is required.')
source_role_name = iam_util.GetRoleName(
args.source_organization,
args.source_project,
args.source,
attribute='the source custom role',
parameter_name='source')
dest_parent = iam_util.GetParentName(
args.dest_organization,
args.dest_project,
attribute='the destination custom role')
source_role = iam_client.organizations_roles.Get(
messages.IamOrganizationsRolesGetRequest(name=source_role_name))
new_role = messages.Role(
title=source_role.title,
description=source_role.description,
includedPermissions=source_role.includedPermissions)
if source_role.includedPermissions:
full_resource_name = '//cloudresourcemanager.googleapis.com/'
if args.dest_project:
full_resource_name += 'projects/{0}'.format(args.dest_project)
else:
full_resource_name += 'organizations/{0}'.format(
args.dest_organization)
valid_permissions = []
token = None
source_permissions = set(source_role.includedPermissions)
while len(
source_role.includedPermissions) != len(valid_permissions):
resp = iam_client.permissions.QueryTestablePermissions(
messages.QueryTestablePermissionsRequest(
fullResourceName=full_resource_name, pageToken=token))
for testable_permission in resp.permissions:
if (testable_permission.name in source_permissions and
(testable_permission.customRolesSupportLevel !=
messages.Permission.
CustomRolesSupportLevelValueValuesEnum.NOT_SUPPORTED)
):
valid_permissions.append(testable_permission.name)
token = resp.nextPageToken
if not token:
break
new_role.includedPermissions = valid_permissions
result = iam_client.organizations_roles.Create(
messages.IamOrganizationsRolesCreateRequest(
createRoleRequest=messages.CreateRoleRequest(
role=new_role, roleId=args.destination),
parent=dest_parent))
iam_util.SetRoleStageIfAlpha(result)
return result
