def execute(self, task_status_queue=None):
log.status.Print('Updating {}...'.format(self._bucket_resource))
provider = self._bucket_resource.storage_url.scheme
request_config = request_config_factory.get_request_config(
self._bucket_resource.storage_url,
user_request_args=self._user_request_args)
try:
api_factory.get_api(provider).patch_bucket(
self._bucket_resource, request_config=request_config)
except errors.GcsApiError as e:
# Service agent does not have the encrypter/decrypter role.
if (e.payload.status_code == 403
and request_config.resource_args.default_encryption_key):
service_agent = api_factory.get_api(
provider).get_service_agent()
requests.AddCryptoKeyPermission(
request_config.resource_args.default_encryption_key,
'serviceAccount:' + service_agent)
api_factory.get_api(provider).patch_bucket(
self._bucket_resource, request_config=request_config)
else:
raise
if task_status_queue:
progress_callbacks.increment_count_callback(task_status_queue)
def CheckServiceAccountPermission(unused_repo_ref, repo_args, request):
"""Checks and grants key encrypt/decrypt permission for service account.
Checks if Artifact Registry service account has encrypter/decrypter or owner
role for the given key. If not, prompts users to grant key encrypter/decrypter
permission to the service account. Operation would fail if users do not grant
the permission.
Args:
unused_repo_ref: Repo reference input.
repo_args: User input arguments.
request: Create repository request.
Returns:
Create repository request.
"""
if repo_args.kms_key:
project_num = project_util.GetProjectNumber(GetProject(repo_args))
service_account = _AR_SERVICE_ACCOUNT.format(project_num=project_num)
policy = ar_requests.GetCryptoKeyPolicy(repo_args.kms_key)
has_permission = False
for binding in policy.bindings:
if "serviceAccount:" + service_account in binding.members and (
binding.role
== "roles/cloudkms.cryptoKeyEncrypterDecrypter"
or binding.role == "roles/owner"):
has_permission = True
break
if not has_permission:
console_io.PromptContinue(
prompt_string=
("\nGrant the Artifact Registry Service Account "
"permission to encrypt/decrypt with the selected key [{key_name}]"
.format(key_name=repo_args.kms_key)),
cancel_on_no=True,
cancel_string=
("The Artifact Registry Service Account needs permissions to "
"encrypt/decrypt on the selected key.\n"
"Learn more: https://cloud.google.com/artifact-registry/docs/cmek"
))
try:
ar_requests.AddCryptoKeyPermission(
repo_args.kms_key, "serviceAccount:" + service_account)
# We have checked the existence of the key when checking IAM bindings
# So all 400s should be because the service account is problematic.
# We are moving the permission check to the backend fairly soon anyway.
except apitools_exceptions.HttpBadRequestError:
msg = (
"The Artifact Registry service account may not exist, please "
"create the service account.\nLearn more: "
"https://cloud.google.com/artifact-registry/docs/cmek")
raise ar_exceptions.ArtifactRegistryError(msg)
log.status.Print(
"Added Cloud KMS CryptoKey Encrypter/Decrypter Role to [{key_name}]"
.format(key_name=repo_args.kms_key))
return request
def Run(self, args):
api = api_factory.get_api(storage_url.ProviderPrefix.GCS)
service_agent = api.get_service_agent()
if args.authorize_cmek:
requests.AddCryptoKeyPermission(args.authorize_cmek,
'serviceAccount:' + service_agent)
log.Print(
'Authorized project {} to encrypt and decrypt with key:\n{}'.
format(properties.VALUES.core.project.Get(),
args.authorize_cmek))
else:
log.Print(service_agent)
def CheckServiceAccountPermission(response, args):
"""Checks and grants key encrypt/decrypt permission for service account.
Checks if Artifact Registry service account has encrypter/decrypter or owner
role for the given key. If not, prompts users to grant key encrypter/decrypter
permission to the service account. If users say no to the prompt, logs a
message and points to the official documentation.
Args:
response: Create repository response.
args: User input arguments.
Returns:
Create repository response.
"""
if args.kms_key:
project_num = project_util.GetProjectNumber(GetProject(args))
service_account = _AR_SERVICE_ACCOUNT.format(project_num=project_num)
policy = ar_requests.GetCryptoKeyPolicy(args.kms_key)
has_permission = False
for binding in policy.bindings:
if service_account in binding.members and (
binding.role
== "roles/cloudkms.cryptoKeyEncrypterDecrypter"
or binding.role == "roles/owner"):
has_permission = True
break
if not has_permission:
cont = console_io.PromptContinue(prompt_string=(
"\nDo you want to grant the Artifact Registry Service Account "
"permission to encrypt/decrypt with the selected key [{key_name}]"
.format(key_name=args.kms_key)),
cancel_on_no=False)
if not cont:
log.status.Print(
"Note: You will need to grant the Artifact Registry Service "
"Account permissions to encrypt/decrypt on the selected key.\n"
"Learn more: https://cloud.google.com/artifact-registry/docs/cmek"
)
return response
ar_requests.AddCryptoKeyPermission(args.kms_key, service_account)
log.status.Print(
"Added Cloud KMS CryptoKey Encrypter/Decrypter Role to [{key_name}]"
.format(key_name=args.kms_key))
return response
