def CheckServiceAccountPermission(unused_repo_ref, repo_args, request):
"""Checks and grants key encrypt/decrypt permission for service account.
Checks if Artifact Registry service account has encrypter/decrypter or owner
role for the given key. If not, prompts users to grant key encrypter/decrypter
permission to the service account. Operation would fail if users do not grant
the permission.
Args:
unused_repo_ref: Repo reference input.
repo_args: User input arguments.
request: Create repository request.
Returns:
Create repository request.
"""
if repo_args.kms_key:
project_num = project_util.GetProjectNumber(GetProject(repo_args))
service_account = _AR_SERVICE_ACCOUNT.format(project_num=project_num)
policy = ar_requests.GetCryptoKeyPolicy(repo_args.kms_key)
has_permission = False
for binding in policy.bindings:
if "serviceAccount:" + service_account in binding.members and (
binding.role
== "roles/cloudkms.cryptoKeyEncrypterDecrypter"
or binding.role == "roles/owner"):
has_permission = True
break
if not has_permission:
console_io.PromptContinue(
prompt_string=
("\nGrant the Artifact Registry Service Account "
"permission to encrypt/decrypt with the selected key [{key_name}]"
.format(key_name=repo_args.kms_key)),
cancel_on_no=True,
cancel_string=
("The Artifact Registry Service Account needs permissions to "
"encrypt/decrypt on the selected key.\n"
"Learn more: https://cloud.google.com/artifact-registry/docs/cmek"
))
try:
ar_requests.AddCryptoKeyPermission(
repo_args.kms_key, "serviceAccount:" + service_account)
# We have checked the existence of the key when checking IAM bindings
# So all 400s should be because the service account is problematic.
# We are moving the permission check to the backend fairly soon anyway.
except apitools_exceptions.HttpBadRequestError:
msg = (
"The Artifact Registry service account may not exist, please "
"create the service account.\nLearn more: "
"https://cloud.google.com/artifact-registry/docs/cmek")
raise ar_exceptions.ArtifactRegistryError(msg)
log.status.Print(
"Added Cloud KMS CryptoKey Encrypter/Decrypter Role to [{key_name}]"
.format(key_name=repo_args.kms_key))
return request
def CheckServiceAccountPermission(response, args):
"""Checks and grants key encrypt/decrypt permission for service account.
Checks if Artifact Registry service account has encrypter/decrypter or owner
role for the given key. If not, prompts users to grant key encrypter/decrypter
permission to the service account. If users say no to the prompt, logs a
message and points to the official documentation.
Args:
response: Create repository response.
args: User input arguments.
Returns:
Create repository response.
"""
if args.kms_key:
project_num = project_util.GetProjectNumber(GetProject(args))
service_account = _AR_SERVICE_ACCOUNT.format(project_num=project_num)
policy = ar_requests.GetCryptoKeyPolicy(args.kms_key)
has_permission = False
for binding in policy.bindings:
if service_account in binding.members and (
binding.role
== "roles/cloudkms.cryptoKeyEncrypterDecrypter"
or binding.role == "roles/owner"):
has_permission = True
break
if not has_permission:
cont = console_io.PromptContinue(prompt_string=(
"\nDo you want to grant the Artifact Registry Service Account "
"permission to encrypt/decrypt with the selected key [{key_name}]"
.format(key_name=args.kms_key)),
cancel_on_no=False)
if not cont:
log.status.Print(
"Note: You will need to grant the Artifact Registry Service "
"Account permissions to encrypt/decrypt on the selected key.\n"
"Learn more: https://cloud.google.com/artifact-registry/docs/cmek"
)
return response
ar_requests.AddCryptoKeyPermission(args.kms_key, service_account)
log.status.Print(
"Added Cloud KMS CryptoKey Encrypter/Decrypter Role to [{key_name}]"
.format(key_name=args.kms_key))
return response