def Args(parser):
parser.add_argument('--key-file-type',
choices=['json', 'p12'],
default='json',
help='The type of key to create.')
parser.add_argument('--iam-account',
required=True,
type=iam_util.GetIamAccountFormatValidator(),
help="""\
The service account for which to create a key.
To list all service accounts in the project, run:
$ gcloud iam service-accounts list
""")
parser.add_argument(
'output',
metavar='OUTPUT-FILE',
type=iam_util.GetIamOutputFileValidator(),
help='The path where the resulting private key should '
'be written. File system write permission will be '
'checked on the specified path prior to the key '
'creation.')
def AddBrokerServiceAccountFlag(parser):
"""Adds broker service account flag."""
parser.add_argument(
'--broker-service-account',
type=core_iam_util.GetIamAccountFormatValidator(),
help='Email address of an existing events broker IAM service account. '
'If no service account is provided, a default service account ({}) will '
'be created.'.format(iam_util.EVENTS_BROKER_SERVICE_ACCOUNT))
def Args(parser):
parser.add_argument('--iam-account',
required=True,
type=iam_util.GetIamAccountFormatValidator(),
help='The service account whose key to '
'delete.')
parser.add_argument('key', metavar='KEY-ID', help='The key to delete.')
def AddSourcesServiceAccountFlag(parser):
"""Adds sources service account flag."""
parser.add_argument(
'--sources-service-account',
type=core_iam_util.GetIamAccountFormatValidator(),
help='Email address of an existing events sources IAM service account. '
'If no service account is provided, a default service account ({}) will '
'be created.'.format(events_constants.EVENTS_SOURCES_SERVICE_ACCOUNT))
def AddServiceAccountFlag(parser):
"""Adds service account flag."""
parser.add_argument(
'--service-account',
required=True,
type=iam_util.GetIamAccountFormatValidator(),
help='Email address of an IAM service account which represents the '
'identity of the internal events operator.')
def AddServiceAccountFlag(parser):
"""Adds service account flag."""
parser.add_argument(
'--service-account',
type=core_iam_util.GetIamAccountFormatValidator(),
help='Email address of an existing IAM service account which '
'represents the identity of the internal events operator. If no '
'service account is provided, a default service account ({}) will be '
'created.'.format(iam_util.DEFAULT_EVENTS_SERVICE_ACCOUNT))
def Args(parser):
parser.add_argument('binding_id',
metavar='BINDING-ID',
help='The ID of the identity binding.')
parser.add_argument(
'--service-account',
required=True,
type=iam_util.GetIamAccountFormatValidator(),
help='The service account with the identity binding.')
def Args(parser):
parser.add_argument('--iam-account',
required=True,
type=iam_util.GetIamAccountFormatValidator(),
help="""\
The service account from which to delete a key.
To list all service accounts in the project, run:
$ gcloud iam service-accounts list
""")
parser.add_argument('key', metavar='KEY-ID', help='The key to delete.')
def Args(parser):
parser.add_argument('--key-file-type',
choices=['json', 'p12'],
default='json',
help='The type of key to create.')
parser.add_argument('--iam-account',
required=True,
type=iam_util.GetIamAccountFormatValidator(),
help='The service account for which to create a key.')
parser.add_argument('output',
metavar='OUTPUT-FILE',
help='The path where the resulting private key should '
'be written.')
def Args(parser):
parser.add_argument('key', metavar='KEY-ID', help='The key to get.')
parser.add_argument('--output-file',
required=True,
help='The output file to write the public key.')
parser.add_argument('--iam-account',
required=True,
type=iam_util.GetIamAccountFormatValidator(),
help='A textual name to display for the account.')
parser.add_argument('--type',
choices=['pem', 'raw'],
default='pem',
help='The type of the public key to get.')
parser.display_info.AddFormat(iam_util.SERVICE_ACCOUNT_KEY_FORMAT)
def Args(parser):
parser.add_argument('--managed-by',
choices=['user', 'system', 'any'],
default='any',
help='The types of keys to list.')
parser.add_argument(
'--created-before',
type=arg_parsers.Datetime.Parse,
help=('Return only keys created before the specified time. '
'Common time formats are accepted. This is equivalent to '
'--filter="validAfterTime<DATE_TIME".'))
parser.add_argument('--iam-account',
required=True,
type=iam_util.GetIamAccountFormatValidator(),
help='A textual name to display for the account.')
parser.display_info.AddFormat(iam_util.SERVICE_ACCOUNT_KEY_FORMAT)
def Args(parser):
parser.add_argument(
'--service-account',
required=True,
type=iam_util.GetIamAccountFormatValidator(),
help='The service account for which to create an identity binding.'
)
parser.add_argument('--acceptance-filter',
default=None,
help="""\
A CEL expression that is evaluated to determine whether a credential
should be accepted. To accept any credential, specify
`--acceptance-filter=true`.
This field supports a subset of the CEL functionality to select fields
and evaluate boolean expressions based on the input (no functions or
arithmetics). See
link:https://github.com/google/cel-spec[the CEL specification] for more
details.
The values for input claims are available using
``inclaim.attribute_name'' or ``inclaim["attribute_name"]''.
The values for output attributes calculated by the translator are
available using ``outclaim.attribute_name'' or
``outclaim["attribute_name"]''.
""")
parser.add_argument('--attribute-translator-cel',
type=arg_parsers.ArgDict(min_length=1),
default={},
metavar='OUT_ATTR=IN_ATTR',
action=arg_parsers.StoreOnceAction,
help="""\
Specifies a list of output attribute names and the corresponding input
attribute to use for that output attribute. Each defined output
attribute is populated with the value of the specified input attribute.
Each entry specifies the desired output attribute and a CEL field
selector expression for the corresponding input to read.
This field supports a subset of the CEL functionality to select fields
from the input (no boolean expressions, functions or arithmetics).
Output attributes must match `(google.sub|[a-z_][a-z0-9_]*)`.
The output attribute google.sub is interpreted to be the "identity" of
the requesting user.
For example, to copy the inbound attribute "sub" into the output
"google.sub" add the translation google.sub -> inclaim.sub (or
google.sub -> inclaim["sub"]). For example:
``--attribute-translator-cel="google.sub=inclaim.sub"''
See link:https://github.com/google/cel-spec[the CEL specification] for
more details.
If the input does not exist the output attribute will be null.
""")
oidc_group = parser.add_group(help='OIDC Identity Provider')
oidc_group.add_argument('--oidc-issuer-url',
required=True,
help='The OpenID Provider Issuer URL.')
oidc_group.add_argument(
'--oidc-audience',
default=None,
help='The acceptable audience. '
'Default is the numeric ID of the service account.')
oidc_group.add_argument(
'--oidc-max-token-lifetime',
default=None,
type=arg_parsers.BoundedInt(1), # Must be > 0
help='The maximum lifetime for tokens, in seconds. '
'The default is 3600 (1 hour).')
NETWORK = base.Argument('--network',
help="""\
Full name of the Google Compute Engine
network (https://cloud.google.com/vpc/docs) to which the Job
is peered with. For example, ``projects/12345/global/networks/myVPC''. The
format is of the form projects/{project}/global/networks/{network}, where
{project} is a project number, as in '12345', and {network} is network name.
Private services access must already have been configured
(https://cloud.google.com/vpc/docs/configure-private-services-access)
for the network. If unspecified, the Job is not peered with any network.
""")
TRAINING_SERVICE_ACCOUNT = base.Argument(
'--service-account',
type=core_iam_util.GetIamAccountFormatValidator(),
required=False,
help=textwrap.dedent("""\
The email address of a service account to use when running the
training appplication. You must have the `iam.serviceAccounts.actAs`
permission for the specified service account. In addition, the AI Platform
Training Google-managed service account must have the
`roles/iam.serviceAccountAdmin` role for the specified service account.
[Learn more about configuring a service
account.](/ai-platform/training/docs/custom-service-account)
If not specified, the AI Platform Training Google-managed service account
is used by default.
"""))
def GetModuleNameFlag(required=True):
def Args(parser):
parser.add_argument(
'--service-account',
required=True,
type=iam_util.GetIamAccountFormatValidator(),
help='The service account to list identity bindings for.')
def RunSubTest(self, name):
return iam_util.GetIamAccountFormatValidator()(name)
