def add_bucket_iams(info, client, bucket_name, service_account): """Add CC'ed users to storage bucket IAM.""" iam_policy = storage.get_bucket_iam_policy(client, bucket_name) if not iam_policy: return iam_policy = _add_users_to_bucket(info, client, bucket_name, iam_policy) _set_bucket_service_account(service_account, client, bucket_name, iam_policy)
def add_service_account_to_bucket(client, bucket_name, service_account, role): """Add service account to the gcr.io images bucket.""" iam_policy = storage.get_bucket_iam_policy(client, bucket_name) if not iam_policy: return binding = storage.get_or_create_bucket_iam_binding(iam_policy, role) member = 'serviceAccount:' + service_account['email'] if member in binding['members']: # No changes required. return binding['members'].append(member) storage.set_bucket_iam_policy(client, bucket_name, iam_policy)
def create_data_bundle_bucket_and_iams(data_bundle_name, emails): """Creates a data bundle bucket and adds iams for access.""" bucket_name = get_data_bundle_bucket_name(data_bundle_name) if not storage.create_bucket_if_needed(bucket_name): return False client = storage.create_discovery_storage_client() iam_policy = storage.get_bucket_iam_policy(client, bucket_name) if not iam_policy: return False members = [] # Add access for the domains allowed in project. domains = local_config.AuthConfig().get('whitelisted_domains', default=[]) for domain in domains: members.append('domain:%s' % domain) # Add access for the emails provided in function arguments. for email in emails: members.append('user:%s' % email) if not members: # No members to add, bail out. return True binding = storage.get_bucket_iam_binding(iam_policy, DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE) if binding: binding['members'] = members else: binding = { 'role': DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE, 'members': members, } iam_policy['bindings'].append(binding) return bool(storage.set_bucket_iam_policy(client, bucket_name, iam_policy))