File: //snap/google-cloud-cli/current/lib/surface/policy_intelligence/troubleshoot_policy/iam.py
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to query activities."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.policy_intelligence import policy_troubleshooter
from googlecloudsdk.calliope import base
_DETAILED_HELP = {
'brief': """Troubleshoot the IAM Policy.
""",
'DESCRIPTION': """\
Performs a check on whether a principal is granted a
permission on a resource and how that access is determined according to
the resource's effective IAM policy interpretation.
""",
'EXAMPLES': """\
To troubleshoot a permission of a principal on a resource, run:
$ {command} //cloudresourcemanager.googleapis.com/projects/project-id \
--principal-email=my-iam-account@somedomain.com \
--permission=resourcemanager.projects.get
See https://cloud.google.com/iam/help/allow-policies/overview for more
information about IAM policies.
""",
}
_DETAILED_HELP = {
'brief': """Troubleshoot IAM allow and deny policies.
""",
'DESCRIPTION': """\
Uses a resource's effective IAM allow policy and IAM deny policy to
check whether a principal has a specific permission on the resource.
""",
'EXAMPLES': """\
The following command checks whether the principal ``my-user@example.com''
has the permission ``resourcemanager.projects.get'' on the project
``my-project'':
$ {command} //cloudresourcemanager.googleapis.com/projects/my-project
--principal-email=my-user@example.com
--permission=resourcemanager.projects.get
The following command checks whether the principal ``my-user@example.com''
has the ``compute.images.get'' permission on the project
``my-project''. The command also provides additional context that lets
Troubleshooter evaluate conditional role bindings:
$ {command} //cloudresourcemanager.googleapis.com/projects/my-project \
--principal-email=my-user@example.com \
--permission=compute.images.get \
--resource-name=//compute.googleapis.com/projects/my-project/zones/images/my-image'\
--resource-service='compute.googleapis.com' \
--resource-type='compute.googleapis.com/Image' \
--destination-ip='192.2.2.2'--destination-port=8080 --request-time='2023-01-01T00:00:00Z'
""",
}
def _Args(parser):
"""Parses arguments for the commands."""
parser.add_argument(
'resource',
metavar='RESOURCE',
type=str,
help="""Full resource name that access is checked against.
For a list of full resource name formats, see: https://cloud.google.com/iam/docs/resource-names.
""",
)
parser.add_argument(
'--principal-email',
required=True,
metavar='EMAIL',
type=str,
help="""Email address that identifies the principal to check. Only Google Accounts and
service accounts are supported.
""",
)
parser.add_argument(
'--permission',
required=True,
metavar='PERMISSION',
type=str,
help="""IAM permission to check. The permssion can be in the `v1` or `v2`
format. For example, `resourcemanager.projects.get` or
`cloudresourcemanager.googleapis.com/projects.get`.
For a list of permissions, see https://cloud.google.com/iam/docs/permissions-reference and https://cloud.google.com/iam/docs/deny-permissions-support
""",
)
parser.add_argument(
'--resource-service',
required=False,
type=str,
help="""The resource service value to use when checking conditional bindings.
For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-service
""",
)
parser.add_argument(
'--resource-type',
required=False,
type=str,
help="""The resource type value to use when checking conditional bindings.
For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-type
""",
)
parser.add_argument(
'--resource-name',
required=False,
type=str,
help="""The resource name value to use when checking conditional bindings.
For accepted values, see: https://cloud.google.com/iam/docs/conditions-resource-attributes#resource-name.
""",
)
parser.add_argument(
'--request-time',
required=False,
type=str,
help="""The request timestamp to use when checking conditional bindings. This string must adhere to UTC format
(RFC 3339). For example,2021-01-01T00:00:00Z. For more information, see:
https://tools.ietf.org/html/rfc3339
""",
)
parser.add_argument(
'--destination-ip',
required=False,
type=str,
help="""The request destination IP address to use when checking conditional bindings. For example, `198.1.1.1`.
""",
)
parser.add_argument(
'--destination-port',
required=False,
type=int,
help="""The request destination port to use when checking conditional bindings. For example, 8080.
""",
)
def _Run(policy_troubleshooter_api, args):
"""Troubleshoot the IAM Policies."""
destination_context = policy_troubleshooter_api.GetPolicyTroubleshooterPeer(
destination_ip=args.destination_ip,
destination_port=args.destination_port,
)
request_context = policy_troubleshooter_api.GetPolicyTroubleshooterRequest(
request_time=args.request_time
)
resource_context = policy_troubleshooter_api.GetPolicyTroubleshooterResource(
resource_name=args.resource_name,
resource_service=args.resource_service,
resource_type=args.resource_type,
)
condition_context = (
policy_troubleshooter_api.GetPolicyTroubleshooterConditionContext(
destination=destination_context,
request=request_context,
resource=resource_context,
)
)
access_tuple = policy_troubleshooter_api.GetPolicyTroubleshooterAccessTuple(
condition_context=condition_context,
full_resource_name=args.resource,
principal_email=args.principal_email,
permission=args.permission,
)
return policy_troubleshooter_api.TroubleshootIAMPolicies(access_tuple)
@base.ReleaseTracks(base.ReleaseTrack.ALPHA)
@base.Hidden
class TroubleshootAlpha(base.Command):
"""Troubleshoot the IAM Policies."""
detailed_help = _DETAILED_HELP
@staticmethod
def Args(parser):
"""Parses arguments for the commands."""
_Args(parser)
def Run(self, args):
return _Run(
policy_troubleshooter.PolicyTroubleshooterApi(self.ReleaseTrack()), args
)
@base.ReleaseTracks(base.ReleaseTrack.BETA)
@base.Hidden
class TroubleshootBeta(base.Command):
"""Troubleshoot IAM allow and deny policies."""
detailed_help = _DETAILED_HELP
@staticmethod
def Args(parser):
"""Parses arguments for the commands."""
_Args(parser)
def Run(self, args):
return _Run(
policy_troubleshooter.PolicyTroubleshooterApi(self.ReleaseTrack()), args
)
@base.ReleaseTracks(base.ReleaseTrack.GA)
class Troubleshoot(base.Command):
"""Troubleshoot IAM allow and deny policies."""
detailed_help = _DETAILED_HELP
@staticmethod
def Args(parser):
"""Parses arguments for the commands."""
_Args(parser)
def Run(self, args):
return _Run(
policy_troubleshooter.PolicyTroubleshooterApi(self.ReleaseTrack()), args
)