def testPubsubAdminCountsForPubsubEditor(self):
self.get_roles.return_value = {'roles/pubsub.admin'}
iam_util.PrintOrBindMissingRolesWithPrompt(self.service_account_ref,
['roles/pubsub.editor'],
True)
self.get_roles.assert_called_once_with(self.service_account_ref)
self.assertFalse(self.bind_roles.called)
def testRolesNeedBindingNoPrompt(self):
self.get_roles.return_value = {'roles/role1', 'roles/role2'}
iam_util.PrintOrBindMissingRolesWithPrompt(
self.service_account_ref, ['roles/role1', 'roles/role3'], True)
self.get_roles.assert_called_once_with(self.service_account_ref)
self.bind_roles.assert_called_once_with(self.service_account_ref,
{'roles/role3'})
def accountHasOwnerRole(self):
self.get_roles.return_value = {'roles/owner'}
iam_util.PrintOrBindMissingRolesWithPrompt(self.service_account_ref,
['roles/pubsub.editor'],
True)
self.get_roles.assert_called_once_with(self.service_account_ref)
self.assertFalse(self.bind_roles.called)
def testRolesNeedBindingOnlyPrintsWhenToldNotToBind(self):
self.get_roles.return_value = {'roles/role1', 'roles/role2'}
iam_util.PrintOrBindMissingRolesWithPrompt(
self.service_account_ref, ['roles/role1', 'roles/role3'], False)
self.get_roles.assert_called_once_with(self.service_account_ref)
self.assertFalse(self.bind_roles.called)
self.AssertErrContains(
'Service account [{}] is missing the following recommended roles:\n'
'- roles/role3'.format(self.email, normalize_space=True))
def testRolesNeedBindingWithPrompt(self):
self.can_prompt.return_value = True
self.get_roles.return_value = {'roles/role1', 'roles/role2'}
iam_util.PrintOrBindMissingRolesWithPrompt(
self.service_account_ref,
['roles/role1', 'roles/role3', 'roles/role4'], True)
self.get_roles.assert_called_once_with(self.service_account_ref)
self.bind_roles.assert_called_once_with(self.service_account_ref,
{'roles/role3', 'roles/role4'})
self.AssertErrContains(
'Service account [{}] is missing the following recommended roles:\n'
'- roles/role3\n'
'- roles/role4\n'.format(self.email),
normalize_space=True)
def _ConfigureServiceAccount(sa_config, client, args):
"""Configures a service account for eventing."""
log.status.Print('Configuring service account for {}.'.format(
sa_config.description))
if not args.IsSpecified(sa_config.arg_name):
sa_email = iam_util.GetOrCreateServiceAccountWithPrompt(
sa_config.default_service_account, sa_config.display_name,
sa_config.description)
else:
sa_email = getattr(args, sa_config.arg_name)
# We use projectsId of '-' to handle the case where a user-provided service
# account may belong to a different project and we need to obtain a key for
# that service account.
#
# The IAM utils used below which print or bind roles are implemented to
# specifically operate on the current project and are not impeded by this
# projectless ref.
service_account_ref = resources.REGISTRY.Parse(
sa_email,
params={'projectsId': '-'},
collection=core_iam_util.SERVICE_ACCOUNTS_COLLECTION)
should_bind_roles = not args.IsSpecified(sa_config.arg_name)
iam_util.PrintOrBindMissingRolesWithPrompt(service_account_ref,
sa_config.recommended_roles,
should_bind_roles)
secret_ref = resources.REGISTRY.Parse(
sa_config.secret_name,
params={'namespacesId': _CONTROL_PLANE_NAMESPACE},
collection='run.api.v1.namespaces.secrets',
api_version='v1')
_PromptIfCanPrompt(
'This will create a new key for the service account [{}].'.format(
sa_email))
_, key_ref = client.CreateOrReplaceServiceAccountSecret(
secret_ref, service_account_ref)
log.status.Print('Added key [{}] to cluster for [{}].'.format(
key_ref.Name(), sa_email))
log.status.Print('Finished configuring service account for {}.\n'.format(
sa_config.description))
def _configure_service_account_roles(sa_config, gsa_emails):
"""Configures a service account with necessary iam roles for eventing."""
log.status.Print('Configuring service account for {}.'.format(
sa_config.description))
# We use projectsId of '-' to handle the case where a user-provided service
# account may belong to a different project and we need to obtain a key for
# that service account.
#
# The IAM utils used below which print or bind roles are implemented to
# specifically operate on the current project and are not impeded by this
# projectless ref.
service_account_ref = resources.REGISTRY.Parse(
gsa_emails[sa_config].email,
params={'projectsId': '-'},
collection=core_iam_util.SERVICE_ACCOUNTS_COLLECTION)
should_bind_roles = gsa_emails[sa_config].is_default
iam_util.PrintOrBindMissingRolesWithPrompt(service_account_ref,
sa_config.recommended_roles,
should_bind_roles)
def testHasAllRoles(self):
self.get_roles.return_value = {'roles/role1', 'roles/role2'}
iam_util.PrintOrBindMissingRolesWithPrompt(self.service_account_ref,
['roles/role1'], True)
self.get_roles.assert_called_once_with(self.service_account_ref)
self.assertFalse(self.bind_roles.called)