File: //snap/google-cloud-cli/394/lib/surface/secrets/add_iam_policy_binding.py
# -*- coding: utf-8 -*- #
# Copyright 2024 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to add-iam-policy-binding to a secret resource."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.secrets import api as secrets_api
from googlecloudsdk.api_lib.util import exceptions as gcloud_exception
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iam import iam_util
from googlecloudsdk.command_lib.secrets import args as secrets_args
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.GA)
class AddIamPolicyBinding(base.Command):
"""Add IAM policy binding to a secret.
Add an IAM policy binding to the IAM policy of a secret. One binding
consists of a member and a role.
"""
detailed_help = {
'EXAMPLES': """\
To add an IAM policy binding for the role of 'roles/secretmanager.secretAccessor'
for the user 'test-user@gmail.com' on my-secret, run:
$ {command} my-secret --member='user:test-user@gmail.com' --role='roles/secretmanager.secretAccessor'
See https://cloud.google.com/iam/docs/managing-policies for details of
policy role and member types.
""",
}
@staticmethod
def Args(parser):
secrets_args.AddSecret(
parser,
purpose='',
positional=True,
required=True,
help_text='Name of the secret for which to add the IAM policy binding.',
)
secrets_args.AddLocation(parser, purpose='to add iam policy', hidden=False)
iam_util.AddArgsForAddIamPolicyBinding(parser, add_condition=True)
@gcloud_exception.CatchHTTPErrorRaiseHTTPException(
'Status code: {status_code}. {status_message}.'
)
def Run(self, args):
api_version = secrets_api.GetApiFromTrack(self.ReleaseTrack())
multi_ref = args.CONCEPTS.secret.Parse()
condition = iam_util.ValidateAndExtractConditionMutexRole(args)
result = secrets_api.Secrets(api_version=api_version).AddIamPolicyBinding(
multi_ref,
args.member,
args.role,
condition=condition,
secret_location=args.location,
)
iam_util.LogSetIamPolicy(multi_ref.Name(), 'secret')
return result
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.BETA)
class AddIamPolicyBindingBeta(AddIamPolicyBinding):
"""Add IAM policy binding to a secret resource."""
detailed_help = {
'EXAMPLES': """\
To add an IAM policy binding for the role of 'roles/secretmanager.secretAccessor'
for the user 'test-user@gmail.com' on my-secret, run:
$ {command} my-secret --member='user:test-user@gmail.com' --role='roles/secretmanager.secretAccessor'
See https://cloud.google.com/iam/docs/managing-policies for details of
policy role and member types.
""",
}