Exemplo n.º 1
0
def CheckServiceAccountPermission(unused_repo_ref, repo_args, request):
    """Checks and grants key encrypt/decrypt permission for service account.

  Checks if Artifact Registry service account has encrypter/decrypter or owner
  role for the given key. If not, prompts users to grant key encrypter/decrypter
  permission to the service account. Operation would fail if users do not grant
  the permission.

  Args:
    unused_repo_ref: Repo reference input.
    repo_args: User input arguments.
    request: Create repository request.

  Returns:
    Create repository request.
  """
    if repo_args.kms_key:
        project_num = project_util.GetProjectNumber(GetProject(repo_args))
        service_account = _AR_SERVICE_ACCOUNT.format(project_num=project_num)
        policy = ar_requests.GetCryptoKeyPolicy(repo_args.kms_key)
        has_permission = False
        for binding in policy.bindings:
            if "serviceAccount:" + service_account in binding.members and (
                    binding.role
                    == "roles/cloudkms.cryptoKeyEncrypterDecrypter"
                    or binding.role == "roles/owner"):
                has_permission = True
                break
        if not has_permission:
            console_io.PromptContinue(
                prompt_string=
                ("\nGrant the Artifact Registry Service Account "
                 "permission to encrypt/decrypt with the selected key [{key_name}]"
                 .format(key_name=repo_args.kms_key)),
                cancel_on_no=True,
                cancel_string=
                ("The Artifact Registry Service Account needs permissions to "
                 "encrypt/decrypt on the selected key.\n"
                 "Learn more: https://cloud.google.com/artifact-registry/docs/cmek"
                 ))
            try:
                ar_requests.AddCryptoKeyPermission(
                    repo_args.kms_key, "serviceAccount:" + service_account)
            # We have checked the existence of the key when checking IAM bindings
            # So all 400s should be because the service account is problematic.
            # We are moving the permission check to the backend fairly soon anyway.
            except apitools_exceptions.HttpBadRequestError:
                msg = (
                    "The Artifact Registry service account may not exist, please "
                    "create the service account.\nLearn more: "
                    "https://cloud.google.com/artifact-registry/docs/cmek")
                raise ar_exceptions.ArtifactRegistryError(msg)

            log.status.Print(
                "Added Cloud KMS CryptoKey Encrypter/Decrypter Role to [{key_name}]"
                .format(key_name=repo_args.kms_key))
    return request
Exemplo n.º 2
0
def CheckServiceAccountPermission(response, args):
    """Checks and grants key encrypt/decrypt permission for service account.

  Checks if Artifact Registry service account has encrypter/decrypter or owner
  role for the given key. If not, prompts users to grant key encrypter/decrypter
  permission to the service account. If users say no to the prompt, logs a
  message and points to the official documentation.

  Args:
    response: Create repository response.
    args: User input arguments.

  Returns:
    Create repository response.
  """
    if args.kms_key:
        project_num = project_util.GetProjectNumber(GetProject(args))
        service_account = _AR_SERVICE_ACCOUNT.format(project_num=project_num)

        policy = ar_requests.GetCryptoKeyPolicy(args.kms_key)
        has_permission = False
        for binding in policy.bindings:
            if service_account in binding.members and (
                    binding.role
                    == "roles/cloudkms.cryptoKeyEncrypterDecrypter"
                    or binding.role == "roles/owner"):
                has_permission = True
                break
        if not has_permission:
            cont = console_io.PromptContinue(prompt_string=(
                "\nDo you want to grant the Artifact Registry Service Account "
                "permission to encrypt/decrypt with the selected key [{key_name}]"
                .format(key_name=args.kms_key)),
                                             cancel_on_no=False)
            if not cont:
                log.status.Print(
                    "Note: You will need to grant the Artifact Registry Service "
                    "Account permissions to encrypt/decrypt on the selected key.\n"
                    "Learn more: https://cloud.google.com/artifact-registry/docs/cmek"
                )
                return response
            ar_requests.AddCryptoKeyPermission(args.kms_key, service_account)
            log.status.Print(
                "Added Cloud KMS CryptoKey Encrypter/Decrypter Role to [{key_name}]"
                .format(key_name=args.kms_key))
    return response