def validate_arguments(args): roles_file = args.roles_file if roles_file and not has_file(roles_file): LOGGER.error('Role file passed is invalid: %s', roles_file) sys.exit(1) custom_roles = args.custom_roles if custom_roles: custom_roles_list = custom_roles.split(',') for custom_role in custom_roles_list: if not iam_org_level_role_exist(args.organization_id, custom_role): LOGGER.error('Custom role invalid or inexistent: %s', custom_role) sys.exit(1)
def validate_arguments(args): if not project_exists(args.project): print(('Project {} not found. Please check if id is correct or if you ' 'have been granted access to it.'.format(args.project))) sys.exit(2) cscc_api_client_file = os.path.join(helpers.BASE_DIR, 'function', 'transformer', 'accounts', 'cscc_api_client.json') if not has_file(cscc_api_client_file): print( 'CSCC api client file does not exist.\nPlease place a valid file ' 'at {}'.format(cscc_api_client_file)) sys.exit(4)
def validate_arguments(args): if not has_file(args.key_file): print('Key File Does not Exist.\nPlease inform a file.') sys.exit(1) if not project_exists(args.connector_project): print(('Project {} not found. Please check if id is correct or if you ' 'have been granted access to it.'.format(args.connector_project))) sys.exit(2) connector_sa_file = args.connector_sa_file if connector_sa_file and not os.path.isfile(connector_sa_file): print('The service account file path passed is not valid: "{}".'.format( connector_sa_file)) sys.exit(4)
def create_sa(args): """Create service account with the roles passed.""" sa_file_name = args.output_file or os.path.join( helpers.BASE_DIR, 'setup', 'service_accounts', '{}_{}.json'.format( args.project_id, args.name)) if has_file(sa_file_name): LOGGER.info('Service account file already exists on "%s".', sa_file_name) return else: run_command([ 'gcloud', 'iam', 'service-accounts', 'create', args.name, '--display-name', args.name, '--project', args.project_id ]) time.sleep(5) #wait for data replication account_email = get_service_account_email_from_api( args.name, args.project_id) sa_directory = os.path.dirname(sa_file_name) if not os.path.exists(sa_directory): os.makedirs(sa_directory) run_command([ 'gcloud', 'iam', 'service-accounts', 'keys', 'create', sa_file_name, '--iam-account', account_email, '--project', args.project_id ]) if args.roles_file: LOGGER.info('Roles to SA.') sa_roles = roles_file_to_list(args.roles_file) custom_roles = args.custom_roles if args.organization_id: if custom_roles: LOGGER.info('Considering custom roles: %s', custom_roles) custom_roles_list = custom_roles.split(',') for custom_role in custom_roles_list: full_custom_role = build_org_level_role_full_name( args.organization_id, custom_role) sa_roles.append(full_custom_role) set_policies(sa_roles, organization_id=args.organization_id, service_account_email=account_email) else: set_policies(sa_roles, project_id=args.project_id, service_account_email=account_email) LOGGER.info('Service account created with file "%s".', sa_file_name)
def create_sa(sa_name, project_id, organization_id, sa_roles): """Create service account with the roles passed. Args: sa_name: Service account name. project_id: Project id. organization_id: Organization id. sa_roles: Roles to add to service account. Returns: The service account generated file name. """ sa_file_name = os.path.join(helpers.BASE_DIR, 'setup', 'service_accounts', project_id + '_' + sa_name + '.json') if not has_file(sa_file_name): run_command([ 'gcloud', 'iam', 'service-accounts', 'create', sa_name, '--display-name', sa_name, '--project', project_id ]) account_email = get_service_account_email(sa_name, project_id) sa_directory = os.path.join(helpers.BASE_DIR, 'setup', 'service_accounts') if not os.path.exists(sa_directory): os.makedirs(sa_directory) run_command([ 'gcloud', 'iam', 'service-accounts', 'keys', 'create', sa_file_name, '--iam-account', account_email, '--project', project_id ]) print('Roles to SA.') for role in sa_roles: run_command([ 'gcloud', 'projects', 'add-iam-policy-binding', project_id, '--member', 'serviceAccount:' + account_email, '--quiet', '--role', role ]) return sa_file_name
def validate_arguments(args): template_file = args.template_file if template_file and not has_file(template_file): LOGGER.error('Template file passed is invalid: %s', template_file) sys.exit(1)
def create_sa(sa_name, project_id, organization_id, sa_roles): """Create service account with the roles passed. OBS: It also has the responsibility to: * enable required APIs in the project * apply roles to DM Google-managed service account Args: sa_name: Service account name. project_id: Project id. organization_id: Organization id. sa_roles: Roles to add to service account. Returns: The service account generated file name. """ apis_to_enable = [ 'cloudbilling.googleapis.com', 'cloudresourcemanager.googleapis.com', 'deploymentmanager.googleapis.com', 'iam.googleapis.com', 'appengine.googleapis.com', 'cloudbuild.googleapis.com', 'cloudfunctions.googleapis.com', 'servicemanagement.googleapis.com', ] for api in apis_to_enable: run_command([ 'gcloud', 'services', 'enable', api, '--project', args.project_id ]) print('Roles to DM.') dm_roles = [ 'roles/billing.user', 'roles/deploymentmanager.editor', 'roles/resourcemanager.projectCreator', 'roles/iam.organizationRoleAdmin', 'roles/logging.admin' ] dm_email = get_cloud_services_default_service_account(args.project_id) for role in dm_roles: run_command([ 'gcloud', 'organizations', 'add-iam-policy-binding', args.organization_id, '--member', 'serviceAccount:' + dm_email, '--quiet', '--role', role ]) sa_file_name = os.path.join(helpers.BASE_DIR, 'setup', 'service_accounts', project_id + '_' + sa_name + '.json') if not has_file(sa_file_name): run_command([ 'gcloud', 'iam', 'service-accounts', 'create', sa_name, '--display-name', sa_name, '--project', project_id ]) account_email = get_service_account_email(sa_name, project_id) sa_directory = os.path.join(helpers.BASE_DIR, 'setup', 'service_accounts') if not os.path.exists(sa_directory): os.makedirs(sa_directory) run_command([ 'gcloud', 'iam', 'service-accounts', 'keys', 'create', sa_file_name, '--iam-account', account_email, '--project', project_id ]) print('Roles to SA.') for role in sa_roles: run_command([ 'gcloud', 'organizations', 'add-iam-policy-binding', organization_id, '--member', 'serviceAccount:' + account_email, '--quiet', '--role', role ]) return sa_file_name