def _set_bucket_service_account(service_account, client, bucket_name,
iam_policy):
"""Set service account for a bucket."""
# Add service account as objectAdmin.
binding = storage.get_or_create_bucket_iam_binding(iam_policy,
OBJECT_ADMIN_IAM_ROLE)
members = ['serviceAccount:' + service_account['email']]
if members == binding['members']:
# No changes required.
return iam_policy
binding['members'] = members
return storage.set_bucket_iam_policy(client, bucket_name, iam_policy)
def _add_users_to_bucket(info, client, bucket_name, iam_policy):
"""Add user account to bucket."""
ccs = sorted([
'user:'******'members'] = sorted(list(set(binding['members'])))
if binding['members'] == ccs:
return iam_policy
filtered_members = [
member for member in binding['members'] if member in ccs
]
if len(filtered_members) != len(binding['members']):
# Remove old members.
binding['members'] = filtered_members
iam_policy = storage.set_bucket_iam_policy(client, bucket_name,
iam_policy)
# We might have no binding either from start or after filtering members above.
# Create a new one in those cases.
binding = storage.get_or_create_bucket_iam_binding(iam_policy,
OBJECT_VIEWER_IAM_ROLE)
for cc in ccs:
if cc in binding['members']:
continue
logs.log('Adding %s to bucket IAM for %s' % (cc, bucket_name))
# Add CCs one at a time since the API does not work with invalid or
# non-Google emails.
modified_iam_policy = storage.add_single_bucket_iam(
client, iam_policy, OBJECT_VIEWER_IAM_ROLE, bucket_name, cc)
if modified_iam_policy:
iam_policy = modified_iam_policy
binding = storage.get_bucket_iam_binding(iam_policy,
OBJECT_VIEWER_IAM_ROLE)
if not binding['members']:
# Check that the final binding has members. Empty bindings are not valid.
storage.remove_bucket_iam_binding(iam_policy, OBJECT_VIEWER_IAM_ROLE)
return iam_policy
def add_service_account_to_bucket(client, bucket_name, service_account, role):
"""Add service account to the gcr.io images bucket."""
iam_policy = storage.get_bucket_iam_policy(client, bucket_name)
if not iam_policy:
return
binding = storage.get_or_create_bucket_iam_binding(iam_policy, role)
member = 'serviceAccount:' + service_account['email']
if member in binding['members']:
# No changes required.
return
binding['members'].append(member)
storage.set_bucket_iam_policy(client, bucket_name, iam_policy)
