Examples with SetIamPolicyRequest com.google.api.services.iam.v1.model.SetIamPolicyRequest used on opensource projects

Example 11 with SetIamPolicyRequest

use of com.google.api.services.iam.v1.model.SetIamPolicyRequest in project terra-workspace-manager by DataBiosphere.

the class PetSaService method disablePetServiceAccountImpersonationWithEtag.

/**
 * Revoke the permission to impersonate a pet service account granted by {@code
 * enablePetServiceAccountImpersonation}. Unlike other operations, this does not run in a flight
 * because it only requires one write operation. This operation is idempotent.
 *
 * <p>This method requires a user's pet service account email as input. As a transitive
 * dependency, this also means the provided workspace must have a GCP context.
 *
 * <p>This method does not authenticate that the user should have access to impersonate their pet
 * SA, callers should validate this first.
 *
 * @param workspaceUuid ID of the workspace to disable pet SA in
 * @param userToDisableEmail The user losing access to pet SA
 * @param userRequest This request's token will be used to authenticate SAM requests
 * @param eTag GCP eTag which must match the pet SA's current policy. If null, this is ignored.
 */
public Optional<Policy> disablePetServiceAccountImpersonationWithEtag(UUID workspaceUuid, String userToDisableEmail, AuthenticatedUserRequest userRequest, @Nullable String eTag) {
    String proxyGroupEmail = SamRethrow.onInterrupted(() -> samService.getProxyGroupEmail(userToDisableEmail, userRequest.getRequiredToken()), "disablePet");
    String targetMember = "group:" + proxyGroupEmail;
    String projectId = gcpCloudContextService.getRequiredGcpProject(workspaceUuid);
    try {
        Optional<ServiceAccountName> userToDisablePetSA = getUserPetSa(projectId, userToDisableEmail, userRequest);
        if (userToDisablePetSA.isEmpty()) {
            return Optional.empty();
        }
        Policy saPolicy = crlService.getIamCow().projects().serviceAccounts().getIamPolicy(userToDisablePetSA.get()).execute();
        // clobbering other changes.
        if (eTag != null && !saPolicy.getEtag().equals(eTag)) {
            logger.warn("GCP IAM policy eTag did not match expected value when revoking pet SA access for user {} in workspace {}. This is normal for Step retries.", userToDisableEmail, workspaceUuid);
            return Optional.empty();
        }
        // If the member is already not on the policy, we are done
        // This handles the case where there are no bindings at all, so we don't
        // need to worry about null binding later in the logic.
        Optional<Binding> bindingToModify = findServiceAccountUserBinding(saPolicy);
        if (bindingToModify.isEmpty() || !bindingToModify.get().getMembers().contains(targetMember)) {
            return Optional.empty();
        }
        bindingToModify.get().getMembers().remove(targetMember);
        SetIamPolicyRequest request = new SetIamPolicyRequest().setPolicy(saPolicy);
        return Optional.of(crlService.getIamCow().projects().serviceAccounts().setIamPolicy(userToDisablePetSA.get(), request).execute());
    } catch (IOException e) {
        return handleProxyUpdateError(e, "disabling");
    }
}

Example 12 with SetIamPolicyRequest

use of com.google.api.services.iam.v1.model.SetIamPolicyRequest in project java-docs-samples by GoogleCloudPlatform.

the class DeviceRegistryExample method setIamPermissions.

// [END iot_get_iam_policy]
// [START iot_set_iam_policy]
/**
 * Sets IAM permissions for the given registry.
 */
protected static void setIamPermissions(String projectId, String cloudRegion, String registryName, String member, String role) throws GeneralSecurityException, IOException {
    GoogleCredentials credential = GoogleCredentials.getApplicationDefault().createScoped(CloudIotScopes.all());
    JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
    HttpRequestInitializer init = new HttpCredentialsAdapter(credential);
    final CloudIot service = new CloudIot.Builder(GoogleNetHttpTransport.newTrustedTransport(), jsonFactory, init).setApplicationName(APP_NAME).build();
    final String registryPath = String.format("projects/%s/locations/%s/registries/%s", projectId, cloudRegion, registryName);
    com.google.api.services.cloudiot.v1.model.Policy policy = service.projects().locations().registries().getIamPolicy(registryPath, new GetIamPolicyRequest()).execute();
    List<com.google.api.services.cloudiot.v1.model.Binding> bindings = policy.getBindings();
    boolean addNewRole = true;
    if (bindings != null) {
        for (com.google.api.services.cloudiot.v1.model.Binding binding : bindings) {
            if (binding.getRole().equals(role)) {
                List<String> members = binding.getMembers();
                members.add(member);
                binding.setMembers(members);
                addNewRole = false;
            }
        }
    } else {
        bindings = new ArrayList<>();
    }
    if (addNewRole) {
        com.google.api.services.cloudiot.v1.model.Binding bind = new com.google.api.services.cloudiot.v1.model.Binding();
        bind.setRole(role);
        List<String> members = new ArrayList<>();
        members.add(member);
        bind.setMembers(members);
        bindings.add(bind);
    }
    policy.setBindings(bindings);
    SetIamPolicyRequest req = new SetIamPolicyRequest().setPolicy(policy);
    policy = service.projects().locations().registries().setIamPolicy(registryPath, req).execute();
    System.out.println("Policy ETAG: " + policy.getEtag());
    for (com.google.api.services.cloudiot.v1.model.Binding binding : policy.getBindings()) {
        System.out.println(String.format("Role: %s", binding.getRole()));
        System.out.println("Binding members: ");
        for (String mem : binding.getMembers()) {
            System.out.println(String.format("\t%s", mem));
        }
    }
}

Example 13 with SetIamPolicyRequest

use of com.google.api.services.iam.v1.model.SetIamPolicyRequest in project java-docs-samples by GoogleCloudPlatform.

the class Hl7v2StoreSetIamPolicy method hl7v2StoreSetIamPolicy.

public static void hl7v2StoreSetIamPolicy(String hl7v2StoreName) throws IOException {
    // String hl7v2StoreName =
    // String.format(
    // HL7v2_NAME, "your-project-id", "your-region-id", "your-dataset-id", "your-hl7v2-id");
    // Initialize the client, which will be used to interact with the service.
    CloudHealthcare client = createClient();
    // Configure the IAMPolicy to apply to the store.
    // For more information on understanding IAM roles, see the following:
    // https://cloud.google.com/iam/docs/understanding-roles
    Binding binding = new Binding().setRole("roles/healthcare.hl7V2Consumer").setMembers(Arrays.asList("domain:google.com"));
    Policy policy = new Policy().setBindings(Arrays.asList(binding));
    SetIamPolicyRequest policyRequest = new SetIamPolicyRequest().setPolicy(policy);
    // Create request and configure any parameters.
    Hl7V2Stores.SetIamPolicy request = client.projects().locations().datasets().hl7V2Stores().setIamPolicy(hl7v2StoreName, policyRequest);
    // Execute the request and process the results.
    Policy updatedPolicy = request.execute();
    System.out.println("HL7v2 policy has been updated: " + updatedPolicy.toPrettyString());
}

Example 14 with SetIamPolicyRequest

use of com.google.api.services.iam.v1.model.SetIamPolicyRequest in project java-docs-samples by GoogleCloudPlatform.

the class Quickstart method setPolicy.

private static void setPolicy(CloudResourceManager crmService, String projectId, Policy policy) {
    // Cloud Resource Manager Projects API.
    try {
        SetIamPolicyRequest request = new SetIamPolicyRequest();
        request.setPolicy(policy);
        crmService.projects().setIamPolicy(projectId, request).execute();
    } catch (IOException e) {
        System.out.println("Unable to set policy: \n" + e.getMessage() + e.getStackTrace());
    }
}

Example 15 with SetIamPolicyRequest

use of com.google.api.services.iam.v1.model.SetIamPolicyRequest in project java-docs-samples by GoogleCloudPlatform.

the class FhirStoreSetIamPolicy method fhirStoreSetIamPolicy.

public static void fhirStoreSetIamPolicy(String fhirStoreName) throws IOException {
    // String fhirStoreName =
    // String.format(
    // FHIR_NAME, "your-project-id", "your-region-id", "your-dataset-id", "your-fhir-id");
    // Initialize the client, which will be used to interact with the service.
    CloudHealthcare client = createClient();
    // Configure the IAMPolicy to apply to the store.
    // For more information on understanding IAM roles, see the following:
    // https://cloud.google.com/iam/docs/understanding-roles
    Binding binding = new Binding().setRole("roles/healthcare.fhirResourceReader").setMembers(Arrays.asList("domain:google.com"));
    Policy policy = new Policy().setBindings(Arrays.asList(binding));
    SetIamPolicyRequest policyRequest = new SetIamPolicyRequest().setPolicy(policy);
    // Create request and configure any parameters.
    FhirStores.SetIamPolicy request = client.projects().locations().datasets().fhirStores().setIamPolicy(fhirStoreName, policyRequest);
    // Execute the request and process the results.
    Policy updatedPolicy = request.execute();
    System.out.println("FHIR policy has been updated: " + updatedPolicy.toPrettyString());
}