def GetIamPolicyWithAncestors(project_id): """Get IAM policy for given project and its ancestors. Args: project_id: project id Returns: IAM policy for given project and its ancestors """ iam_policies = [] ancestry = projects_api.GetAncestry(project_id) try: for resource in ancestry.ancestor: resource_type = resource.resourceId.type resource_id = resource.resourceId.id # this is the given project if resource_type == 'project': project_ref = ParseProject(project_id) iam_policies.append({ 'type': 'project', 'id': project_id, 'policy': projects_api.GetIamPolicy(project_ref) }) if resource_type == 'folder': iam_policies.append({ 'type': resource_type, 'id': resource_id, 'policy': folders.GetIamPolicy(resource_id) }) if resource_type == 'organization': iam_policies.append({ 'type': resource_type, 'id': resource_id, 'policy': organizations.Client().GetIamPolicy(resource_id), }) return iam_policies except HttpForbiddenError: raise exceptions.AncestorsIamPolicyAccessDeniedError( 'User is not permitted to access IAM policy for one or more of the' ' ancestors')
def Run(self, args): return folders.GetIamPolicy(args.id)
def Run(self, args): policy = folders.GetIamPolicy(args.id) iam_util.RemoveBindingFromIamPolicy(policy, args.member, args.role) return folders.SetIamPolicy(args.id, policy)
def Run(self, args): messages = folders.FoldersMessages() policy = folders.GetIamPolicy(args.id) iam_util.AddBindingToIamPolicy( messages.Binding, policy, args.member, args.role) return folders.SetIamPolicy(args.id, policy)
def GetIamPolicyWithAncestors(project_id, include_deny, release_track): """Get IAM policy for given project and its ancestors. Args: project_id: project id include_deny: boolean that represents if we should show the deny policies in addition to the grants release_track: which release track, include deny is only supported for ALPHA or BETA Returns: IAM policy for given project and its ancestors """ iam_policies = [] ancestry = projects_api.GetAncestry(project_id) try: for resource in ancestry.ancestor: resource_type = resource.resourceId.type resource_id = resource.resourceId.id # this is the given project if resource_type == 'project': project_ref = ParseProject(project_id) iam_policies.append({ 'type': 'project', 'id': project_id, 'policy': projects_api.GetIamPolicy(project_ref) }) if include_deny: deny_policies = policies.ListDenyPolicies( project_id, 'project', release_track) for deny_policy in deny_policies: iam_policies.append({ 'type': 'project', 'id': project_id, 'policy': deny_policy }) if resource_type == 'folder': iam_policies.append({ 'type': resource_type, 'id': resource_id, 'policy': folders.GetIamPolicy(resource_id) }) if include_deny: deny_policies = policies.ListDenyPolicies( resource_id, 'folder', release_track) for deny_policy in deny_policies: iam_policies.append({ 'type': 'folder', 'id': resource_id, 'policy': deny_policy }) if resource_type == 'organization': iam_policies.append({ 'type': resource_type, 'id': resource_id, 'policy': organizations.Client().GetIamPolicy(resource_id), }) if include_deny: deny_policies = policies.ListDenyPolicies( resource_id, 'organization', release_track) for deny_policy in deny_policies: iam_policies.append({ 'type': 'organization', 'id': resource_id, 'policy': deny_policy }) return iam_policies except HttpForbiddenError: raise exceptions.AncestorsIamPolicyAccessDeniedError( 'User is not permitted to access IAM policy for one or more of the' ' ancestors')