def AddIamPolicyBindingServiceAccount(service_account_name, role, member): """Add an IAM policy binding to a service account. Args: service_account_name: The google service account to add the iam policy binding to. role: The role the member is granted. member: The gsa/ksa allowed to act as the defined service account. Returns: Policy: The updated policy. """ iam_client, iam_messages = iam_api_util.GetClientAndMessages() policy = iam_client.projects_serviceAccounts.GetIamPolicy( iam_messages.IamProjectsServiceAccountsGetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName( service_account_name))) iam_util.AddBindingToIamPolicy(iam_messages.Binding, policy, member, role) return iam_client.projects_serviceAccounts.SetIamPolicy( iam_messages.IamProjectsServiceAccountsSetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(service_account_name), setIamPolicyRequest=iam_messages.SetIamPolicyRequest( policy=policy)))
def Run(self, args): policy = self.iam_client.projects_serviceAccounts.GetIamPolicy( self.messages.IamProjectsServiceAccountsGetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.service_account))) iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role) return self.iam_client.projects_serviceAccounts.SetIamPolicy( self.messages.IamProjectsServiceAccountsSetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.service_account), setIamPolicyRequest=self.messages.SetIamPolicyRequest( policy=policy)))
def Run(self, args): try: policy = self.iam_client.projects_serviceAccounts.GetIamPolicy( self.messages.IamProjectsServiceAccountsGetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.name))) iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role) return self.iam_client.projects_serviceAccounts.SetIamPolicy( self.messages.IamProjectsServiceAccountsSetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.name), setIamPolicyRequest=self.messages.SetIamPolicyRequest( policy=policy))) except exceptions.HttpError as error: raise iam_util.ConvertToServiceAccountException(error, args.name)
def Run(self, args): client, messages = util.GetClientAndMessages() policy = client.projects_serviceAccounts.GetIamPolicy( messages.IamProjectsServiceAccountsGetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName( args.service_account))) iam_util.AddBindingToIamPolicy(messages.Binding, policy, args.member, args.role) return client.projects_serviceAccounts.SetIamPolicy( messages.IamProjectsServiceAccountsSetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName( args.service_account), setIamPolicyRequest=messages.SetIamPolicyRequest( policy=policy)))
def Run(self, args): try: return self.iam_client.projects_serviceAccounts.GetIamPolicy( self.messages.IamProjectsServiceAccountsGetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.name))) except exceptions.HttpError as error: raise iam_util.ConvertToServiceAccountException(error, args.name)
def Run(self, args): # TODO(b/25212870): use resource parsing. client, messages = util.GetClientAndMessages() return client.projects_serviceAccounts.Get( messages.IamProjectsServiceAccountsGetRequest( name=iam_util.EmailToAccountResourceName( args.service_account)))
def Run(self, args): client, messages = util.GetClientAndMessages() return client.projects_serviceAccounts.GetIamPolicy( messages.IamProjectsServiceAccountsGetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName( args.service_account), options_requestedPolicyVersion=iam_util. MAX_LIBRARY_IAM_SUPPORTED_VERSION))
def Run(self, args): try: # TODO(b/25212870): use resource parsing. return self.iam_client.projects_serviceAccounts.Get( self.messages.IamProjectsServiceAccountsGetRequest( name=iam_util.EmailToAccountResourceName(args.name))) except exceptions.HttpError as error: raise iam_util.ConvertToServiceAccountException(error, args.name)
def Run(self, args): policy = iam_util.ParsePolicyFile(args.policy_file, self.messages.Policy) return self.iam_client.projects_serviceAccounts.SetIamPolicy( self.messages.IamProjectsServiceAccountsSetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.name), setIamPolicyRequest=self.messages.SetIamPolicyRequest( policy=policy)))
def Run(self, args): console_io.PromptContinue(message='You are about to delete service ' 'account [{0}].'.format(args.name), cancel_on_no=True) self.iam_client.projects_serviceAccounts.Delete( self.messages.IamProjectsServiceAccountsDeleteRequest( name=iam_util.EmailToAccountResourceName(args.name))) log.status.Print('deleted service account [{0}]'.format(args.name))
def Run(self, args): resource_name = iam_util.EmailToAccountResourceName( args.service_account) client, messages = util.GetClientAndMessages() result = client.projects_serviceAccounts.Update( messages.ServiceAccount(name=resource_name, displayName=args.display_name)) log.UpdatedResource(args.service_account, kind='serviceAccount') return result
def Run(self, args): response = self.iam_client.projects_serviceAccounts.SignJwt( self.messages.IamProjectsServiceAccountsSignJwtRequest( name=iam_util.EmailToAccountResourceName(args.iam_account), signJwtRequest=self.messages.SignJwtRequest(payload=self.ReadFile( args.input)))) self.WriteFile(args.output, response.signedJwt) log.status.Print( 'signed jwt [{0}] as [{1}] for [{2}] using key [{3}]'.format( args.input, args.output, args.iam_account, response.keyId))
def Run(self, args): client, messages = util.GetClientAndMessages() policy = iam_util.ParsePolicyFile(args.policy_file, messages.Policy) result = client.projects_serviceAccounts.SetIamPolicy( messages.IamProjectsServiceAccountsSetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.service_account), setIamPolicyRequest=messages.SetIamPolicyRequest( policy=policy))) iam_util.LogSetIamPolicy(args.service_account, 'service account') return result
def Run(self, args): resource_name = iam_util.EmailToAccountResourceName(args.name) current = self.iam_client.projects_serviceAccounts.Get( self.messages.IamProjectsServiceAccountsGetRequest( name=resource_name)) result = self.iam_client.projects_serviceAccounts.Update( self.messages.ServiceAccount(name=resource_name, etag=current.etag, displayName=args.display_name)) log.UpdatedResource(args.name, kind='service account') return result
def Run(self, args): client, messages = util.GetClientAndMessages() response = client.projects_serviceAccounts.SignBlob( messages.IamProjectsServiceAccountsSignBlobRequest( name=iam_util.EmailToAccountResourceName(args.iam_account), signBlobRequest=messages.SignBlobRequest( bytesToSign=files.ReadBinaryFileContents(args.input)))) log.WriteToFileOrStdout( args.output, content=response.signature, binary=True) log.status.Print( 'signed blob [{0}] as [{1}] for [{2}] using key [{3}]'.format( args.input, args.output, args.iam_account, response.keyId))
def Run(self, args): try: policy = iam_util.ParseJsonPolicyFile(args.policy_file, self.messages.Policy) return self.iam_client.projects_serviceAccounts.SetIamPolicy( self.messages.IamProjectsServiceAccountsSetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.account), setIamPolicyRequest=self.messages.SetIamPolicyRequest( policy=policy))) except exceptions.HttpError as error: raise iam_util.ConvertToServiceAccountException( error, args.account)
def Run(self, args): client, messages = util.GetClientAndMessages() response = client.projects_serviceAccounts.SignJwt( messages.IamProjectsServiceAccountsSignJwtRequest( name=iam_util.EmailToAccountResourceName(args.iam_account), signJwtRequest=messages.SignJwtRequest( payload=files.ReadFileContents(args.input,)))) log.WriteToFileOrStdout( args.output, content=response.signedJwt, binary=False, private=True) log.status.Print( 'signed jwt [{0}] as [{1}] for [{2}] using key [{3}]'.format( args.input, args.output, args.iam_account, response.keyId))
def Run(self, args): result = self.iam_client.projects_serviceAccounts_keys.List( self.messages.IamProjectsServiceAccountsKeysListRequest( name=iam_util.EmailToAccountResourceName(args.iam_account), keyTypes=iam_util.ManagedByFromString(args.managed_by))) keys = result.keys if args.created_before: ts = args.created_before keys = [ key for key in keys if times.ParseDateTime(key.validAfterTime) < ts ] return keys
def Run(self, args): try: resource_name = iam_util.EmailToAccountResourceName(args.name) current = self.iam_client.projects_serviceAccounts.Get( self.messages.IamProjectsServiceAccountsGetRequest( name=resource_name)) result = self.iam_client.projects_serviceAccounts.Update( self.messages.ServiceAccount(name=resource_name, etag=current.etag, displayName=args.display_name)) log.UpdatedResource(args.name, kind='service account') return result except exceptions.HttpError as error: raise iam_util.ConvertToServiceAccountException(error, args.name)
def Run(self, args): try: console_io.PromptContinue( message='You are about to delete service ' 'account [{0}].'.format(args.account), cancel_on_no=True) self.iam_client.projects_serviceAccounts.Delete( self.messages.IamProjectsServiceAccountsDeleteRequest( name=iam_util.EmailToAccountResourceName(args.account))) log.status.Print('deleted service account [{0}]'.format( args.account)) except exceptions.HttpError as error: raise iam_util.ConvertToServiceAccountException( error, args.account)
def _CreateRequest(args, messages): """_CreateRequest creates CreateServiceAccountIdentityBindingRequests.""" req = messages.CreateServiceAccountIdentityBindingRequest( acceptanceFilter=args.acceptance_filter, cel=_EncodeAttributeTranslatorCEL(args.attribute_translator_cel, messages), oidc=messages.IDPReferenceOIDC( audience=args.oidc_audience, maxTokenLifetimeSeconds=args.oidc_max_token_lifetime, url=args.oidc_issuer_url, ), ) return messages.IamProjectsServiceAccountsIdentityBindingsCreateRequest( createServiceAccountIdentityBindingRequest=req, name=iam_util.EmailToAccountResourceName(args.service_account))
def Run(self, args): result = self.iam_client.projects_serviceAccounts_keys.Create( self.messages.IamProjectsServiceAccountsKeysCreateRequest( name=iam_util.EmailToAccountResourceName(args.iam_account), createServiceAccountKeyRequest= self.messages.CreateServiceAccountKeyRequest( privateKeyType=iam_util.KeyTypeToCreateKeyType( iam_util.KeyTypeFromString(args.key_file_type))))) # Only the creating user has access. Set file permission to "-rw-------". self.WriteFile(args.output, result.privateKeyData, make_private=True) log.status.Print( 'created key [{0}] of type [{1}] as [{2}] for [{3}]'.format( iam_util.GetKeyIdFromResourceName(result.name), iam_util.KeyTypeToString(result.privateKeyType), args.output, args.iam_account))
def SignBlob(self, service_account, bytes_to_sign): """Signs a string with the private key of the provided service account. Args: service_account: The string email of a service account that has permissions to sign a blob. bytes_to_sign: The byte-string to sign. Returns: A byte-string signature of the provided blob, signed by the provided service account. """ messages = self._iam_client.MESSAGES_MODULE response = self._iam_client.projects_serviceAccounts.SignBlob( messages.IamProjectsServiceAccountsSignBlobRequest( name=iam_util.EmailToAccountResourceName(service_account), signBlobRequest=messages.SignBlobRequest( bytesToSign=bytes_to_sign))) return response.signature
def Run(self, args): try: policy = iam_util.ParseJsonPolicyFile(args.policy_file, self.messages.Policy) if not policy.etag: msg = ( 'The specified policy does not contain an "etag" field ' 'identifying a specific version to replace. Changing a ' 'policy without an "etag" can overwrite concurrent policy ' 'changes.') console_io.PromptContinue( message=msg, prompt_string='Replace existing policy', cancel_on_no=True) return self.iam_client.projects_serviceAccounts.SetIamPolicy( self.messages.IamProjectsServiceAccountsSetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.account), setIamPolicyRequest=self.messages.SetIamPolicyRequest( policy=policy))) except exceptions.HttpError as error: raise iam_util.ConvertToServiceAccountException( error, args.account)
def Run(self, args): # TODO(b/25212870): use resource parsing. return self.iam_client.projects_serviceAccounts.Get( self.messages.IamProjectsServiceAccountsGetRequest( name=iam_util.EmailToAccountResourceName(args.name)))
def Run(self, args): client, messages = util.GetClientAndMessages() req = messages.IamProjectsServiceAccountsIdentityBindingsListRequest( name=iam_util.EmailToAccountResourceName(args.service_account)) return client.projects_serviceAccounts_identityBindings.List(req)
def Run(self, args): client, messages = util.GetClientAndMessages() return client.projects_serviceAccounts.GetIamPolicy( messages.IamProjectsServiceAccountsGetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName( args.service_account)))
def GetServiceAccount(service_account): """Gets the service account given its email.""" client, messages = iam_api.GetClientAndMessages() return client.projects_serviceAccounts.Get( messages.IamProjectsServiceAccountsGetRequest( name=iam_util.EmailToAccountResourceName(service_account)))
def Run(self, args): return self.iam_client.projects_serviceAccounts.GetIamPolicy( self.messages.IamProjectsServiceAccountsGetIamPolicyRequest( resource=iam_util.EmailToAccountResourceName(args.service_account)))