def add_bucket_iams(info, client, bucket_name, service_account):
"""Add CC'ed users to storage bucket IAM."""
iam_policy = storage.get_bucket_iam_policy(client, bucket_name)
if not iam_policy:
return
iam_policy = _add_users_to_bucket(info, client, bucket_name, iam_policy)
_set_bucket_service_account(service_account, client, bucket_name, iam_policy)
def add_service_account_to_bucket(client, bucket_name, service_account, role):
"""Add service account to the gcr.io images bucket."""
iam_policy = storage.get_bucket_iam_policy(client, bucket_name)
if not iam_policy:
return
binding = storage.get_or_create_bucket_iam_binding(iam_policy, role)
member = 'serviceAccount:' + service_account['email']
if member in binding['members']:
# No changes required.
return
binding['members'].append(member)
storage.set_bucket_iam_policy(client, bucket_name, iam_policy)
def create_data_bundle_bucket_and_iams(data_bundle_name, emails):
"""Creates a data bundle bucket and adds iams for access."""
bucket_name = get_data_bundle_bucket_name(data_bundle_name)
if not storage.create_bucket_if_needed(bucket_name):
return False
client = storage.create_discovery_storage_client()
iam_policy = storage.get_bucket_iam_policy(client, bucket_name)
if not iam_policy:
return False
members = []
# Add access for the domains allowed in project.
domains = local_config.AuthConfig().get('whitelisted_domains', default=[])
for domain in domains:
members.append('domain:%s' % domain)
# Add access for the emails provided in function arguments.
for email in emails:
members.append('user:%s' % email)
if not members:
# No members to add, bail out.
return True
binding = storage.get_bucket_iam_binding(iam_policy,
DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE)
if binding:
binding['members'] = members
else:
binding = {
'role': DATA_BUNDLE_DEFAULT_BUCKET_IAM_ROLE,
'members': members,
}
iam_policy['bindings'].append(binding)
return bool(storage.set_bucket_iam_policy(client, bucket_name, iam_policy))
