def __view_bucket_iam_members(
bucket: Bucket
): # type inference on bucket, to make method more protected.
policy = bucket.get_iam_policy()
for role in policy:
members = policy[role]
print('Role: {}, Members: {}'.format(role, members))
def _bucket_iam_helper(bucket: Bucket, member: str, roles: list, add: bool = True):
policy = bucket.get_iam_policy()
msg = []
if add:
for role in roles:
policy[role].add(member)
msg.append(f"Added {member} with role {role} to {bucket.name}.")
else:
for role in roles:
policy[role].discard(member)
msg.append(f"Removed {member} with role {role} from {bucket.name}.")
bucket.set_iam_policy(policy)
return "\n".join(msg)
def destination_bucket(gcs_bucket: storage.Bucket, sts_service_account: str):
"""
Yields and auto-cleans up a CGS bucket preconfigured with necessary
STS service account write perms
"""
# Setup policy for STS
member: str = f"serviceAccount:{sts_service_account}"
bucketWriter = "roles/storage.legacyBucketWriter"
# Prepare policy
policy = gcs_bucket.get_iam_policy(requested_policy_version=3)
policy.bindings.append({"role": bucketWriter, "members": {member}})
# Set policy
gcs_bucket.set_iam_policy(policy)
yield gcs_bucket
def revoke_expiring_gcs_access(
bucket: storage.Bucket, role: str, user_email: str, prefix: Optional[str] = None
):
"""Revoke a bucket IAM policy change made by calling `grant_expiring_gcs_access`."""
# see https://cloud.google.com/storage/docs/access-control/using-iam-permissions#code-samples_3
policy = bucket.get_iam_policy(requested_policy_version=3)
policy.version = 3
# find and remove all matching policy bindings for this user if any exist
for i in range(GOOGLE_MAX_DOWNLOAD_PERMISSIONS):
removed_binding = _find_and_pop_binding(policy, prefix, role, user_email)
if removed_binding is None:
if i == 0:
warnings.warn(
f"Tried to revoke a non-existent download IAM permission for {user_email}/{prefix}"
)
break
bucket.set_iam_policy(policy)
def grant_expiring_gcs_access(
bucket: storage.Bucket, role: str, user_email: str, prefix: Optional[str] = None
):
"""
Grant `user_email` the provided `role` on a `bucket`, expiring after `INACTIVE_USER_DAYS`
days have elapsed. By default, permissions apply to the whole bucket. Optionally, provide
an object URL `prefix` to restrict this permission grant to only a portion of the objects
in the given bucket.
"""
# see https://cloud.google.com/storage/docs/access-control/using-iam-permissions#code-samples_3
policy = bucket.get_iam_policy(requested_policy_version=3)
policy.version = 3
# remove the existing binding if one exists so that we can recreate it with
# an updated TTL.
_find_and_pop_binding(policy, prefix, role, user_email)
binding = _build_binding_with_expiry(bucket.name, prefix, role, user_email)
# (re)insert the binding into the policy
policy.bindings.append(binding)
bucket.set_iam_policy(policy)
