use of com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest in project java-docs-samples by GoogleCloudPlatform.
the class DeviceRegistryExample method getIamPermissions.
// [END iot_set_device_config]
// [START iot_get_iam_policy]
/**
* Retrieves IAM permissions for the given registry.
*/
protected static void getIamPermissions(String projectId, String cloudRegion, String registryName) throws GeneralSecurityException, IOException {
GoogleCredentials credential = GoogleCredentials.getApplicationDefault().createScoped(CloudIotScopes.all());
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
HttpRequestInitializer init = new HttpCredentialsAdapter(credential);
final CloudIot service = new CloudIot.Builder(GoogleNetHttpTransport.newTrustedTransport(), jsonFactory, init).setApplicationName(APP_NAME).build();
final String registryPath = String.format("projects/%s/locations/%s/registries/%s", projectId, cloudRegion, registryName);
com.google.api.services.cloudiot.v1.model.Policy policy = service.projects().locations().registries().getIamPolicy(registryPath, new GetIamPolicyRequest()).execute();
System.out.println("Policy ETAG: " + policy.getEtag());
if (policy.getBindings() != null) {
for (com.google.api.services.cloudiot.v1.model.Binding binding : policy.getBindings()) {
System.out.println(String.format("Role: %s", binding.getRole()));
System.out.println("Binding members: ");
for (String member : binding.getMembers()) {
System.out.println(String.format("\t%s", member));
}
}
} else {
System.out.println(String.format("No policy bindings for %s", registryName));
}
}
use of com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest in project java-docs-samples by GoogleCloudPlatform.
the class DeviceRegistryExample method setIamPermissions.
// [END iot_get_iam_policy]
// [START iot_set_iam_policy]
/**
* Sets IAM permissions for the given registry.
*/
protected static void setIamPermissions(String projectId, String cloudRegion, String registryName, String member, String role) throws GeneralSecurityException, IOException {
GoogleCredentials credential = GoogleCredentials.getApplicationDefault().createScoped(CloudIotScopes.all());
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
HttpRequestInitializer init = new HttpCredentialsAdapter(credential);
final CloudIot service = new CloudIot.Builder(GoogleNetHttpTransport.newTrustedTransport(), jsonFactory, init).setApplicationName(APP_NAME).build();
final String registryPath = String.format("projects/%s/locations/%s/registries/%s", projectId, cloudRegion, registryName);
com.google.api.services.cloudiot.v1.model.Policy policy = service.projects().locations().registries().getIamPolicy(registryPath, new GetIamPolicyRequest()).execute();
List<com.google.api.services.cloudiot.v1.model.Binding> bindings = policy.getBindings();
boolean addNewRole = true;
if (bindings != null) {
for (com.google.api.services.cloudiot.v1.model.Binding binding : bindings) {
if (binding.getRole().equals(role)) {
List<String> members = binding.getMembers();
members.add(member);
binding.setMembers(members);
addNewRole = false;
}
}
} else {
bindings = new ArrayList<>();
}
if (addNewRole) {
com.google.api.services.cloudiot.v1.model.Binding bind = new com.google.api.services.cloudiot.v1.model.Binding();
bind.setRole(role);
List<String> members = new ArrayList<>();
members.add(member);
bind.setMembers(members);
bindings.add(bind);
}
policy.setBindings(bindings);
SetIamPolicyRequest req = new SetIamPolicyRequest().setPolicy(policy);
policy = service.projects().locations().registries().setIamPolicy(registryPath, req).execute();
System.out.println("Policy ETAG: " + policy.getEtag());
for (com.google.api.services.cloudiot.v1.model.Binding binding : policy.getBindings()) {
System.out.println(String.format("Role: %s", binding.getRole()));
System.out.println("Binding members: ");
for (String mem : binding.getMembers()) {
System.out.println(String.format("\t%s", mem));
}
}
}
use of com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest in project java-docs-samples by GoogleCloudPlatform.
the class AddMember method addMember.
// Adds a member to a preexisting role.
public static void addMember(Policy policy) {
// policy = service.Projects.GetIAmPolicy(new GetIamPolicyRequest(), your-project-id).Execute();
String role = "roles/existing-role";
String member = "user:member-to-add@example.com";
List<Binding> bindings = policy.getBindings();
for (Binding b : bindings) {
if (b.getRole().equals(role)) {
b.getMembers().add(member);
System.out.println("Member " + member + " added to role " + role);
return;
}
}
System.out.println("Role not found in policy; member not added");
}
use of com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest in project terra-workspace-manager by DataBiosphere.
the class CreateGcpContextFlightV2Test method assertPolicyGroupsSynced.
/**
* Asserts that Sam groups are granted their appropriate IAM roles on a GCP project.
*/
private void assertPolicyGroupsSynced(UUID workspaceId, Project project) throws Exception {
Map<WsmIamRole, String> roleToSamGroup = Arrays.stream(WsmIamRole.values()).collect(Collectors.toMap(Function.identity(), role -> "group:" + SamRethrow.onInterrupted(() -> mockSamService.syncWorkspacePolicy(workspaceId, role, userAccessUtils.defaultUserAuthRequest()), "syncWorkspacePolicy")));
Policy currentPolicy = crl.getCloudResourceManagerCow().projects().getIamPolicy(project.getProjectId(), new GetIamPolicyRequest()).execute();
for (WsmIamRole role : WsmIamRole.values()) {
// Don't check MANAGER role, which isn't synced to GCP.
if (role.equals(WsmIamRole.MANAGER)) {
continue;
}
assertRoleBindingInPolicy(role, roleToSamGroup.get(role), currentPolicy, project.getProjectId());
}
}
use of com.google.api.services.cloudresourcemanager.v3.model.GetIamPolicyRequest in project terra-resource-buffer by DataBiosphere.
the class CreateGkeDefaultSAStep method doStep.
@Override
public StepResult doStep(FlightContext flightContext) throws RetryException {
if (!createGkeDefaultSa(gcpProjectConfig)) {
return StepResult.getStepResultSuccess();
}
String projectId = flightContext.getWorkingMap().get(GOOGLE_PROJECT_ID, String.class);
CreateServiceAccountRequest createRequest = new CreateServiceAccountRequest().setAccountId(GKE_SA_NAME).setServiceAccount(new ServiceAccount().setDescription("Default service account can be used on GKE node. "));
try {
iamCow.projects().serviceAccounts().create("projects/" + projectId, createRequest).execute();
} catch (GoogleJsonResponseException e) {
// Otherwise throw a retry exception.
if (e.getStatusCode() != HttpStatus.CONFLICT.value()) {
throw new RetryException(e);
}
logger.warn("Service account {} already created for notebook instance.", GKE_SA_NAME);
} catch (IOException e) {
throw new RetryException(e);
}
// Grants permission that a GKE node runner needs
String serviceAccountEmail = ServiceAccountName.emailFromAccountId(GKE_SA_NAME, projectId);
try {
Policy policy = rmCow.projects().getIamPolicy(projectId, new GetIamPolicyRequest()).execute();
GKE_SA_ROLES.forEach(r -> policy.getBindings().add(new Binding().setRole(r).setMembers(Collections.singletonList("serviceAccount:" + serviceAccountEmail))));
// Duplicating bindings is harmless (e.g. on retry). GCP de-duplicates.
rmCow.projects().setIamPolicy(projectId, new SetIamPolicyRequest().setPolicy(policy)).execute();
} catch (IOException e) {
logger.info("Error when setting IAM policy for GKE default node SA", e);
return new StepResult(StepStatus.STEP_RESULT_FAILURE_RETRY, e);
}
return StepResult.getStepResultSuccess();
}
Aggregations