SrSSKrSSKJr SSKJr SSKJr SSK J r SSK J r SSKJr SS KJr S rS rS rS S\SS/rSrSrSSjrSrSSjrSSjrSrg)zService account utils.N) exceptions)cloudbuild_util) projects_api)run_util)util)log) console_iozroles/cloudbuild.builds.builderz roles/editorzroles/run.invokerzroles/run.adminzroles/run.developerzroles/run.servicesInvokerzroles/run.sourceDeveloperzrun.routes.invokez6{project_number}-compute@developer.gserviceaccount.comc[R"5nSUSUS3nURRURR US95R $)z5Gets the default build service account for a project.z projects/z /locations/z/defaultServiceAccount)name)rGetClientInstanceprojects_locationsGetDefaultServiceAccountMESSAGES_MODULE:CloudbuildProjectsLocationsGetDefaultServiceAccountRequestserviceAccountEmail) project_idregionclientr s @lib/googlecloudsdk/command_lib/functions/service_account_util.pyGetDefaultBuildServiceAccountr)sc  , , .& ZL F83I J$  " " ; ; WWX  cb[R"SU5nU(aURS5$g)zEExtracts the service account email from the service account resource.z/serviceAccounts/([^/]+)$N)researchgroup)service_accountmatchs r_ExtractServiceAccountEmailr4s' ))0/ B% ;;q> rc Uc[[X55n[R"U5nU[R US9:Xa[ R"[R"U55nSU3nURVs/sH nXVR;dMUR PM" nn[U;aN["U;aC[$R&"5(a([$R("SSSUS[S US US 3 S 9 ggggg![Ra [R"SUU[5 gf=fs snf) a=Util to validate the default build service account permission. Prompt a warning to users if cloudbuild.builds.builder is missing. Args: project_id: id of project region: region to deploy the function build_service_account: user provided build service account. It will be None, if user doesn't provide it. Nproject_numberzYour account does not have permission to check or bind IAM policies to project [%s]. If the deployment fails, ensure [%s] has the role [%s] before retrying.serviceAccount:FTz$ The default build service account [] is missing the [z] role. This may cause issues when deploying a function. You could fix it by running the command: gcloud projects add-iam-policy-binding z \ --member=serviceAccount:z-compute@developer.gserviceaccount.com \ --role=roles/cloudbuild.builds.builder For more information, please refer to: https://cloud.google.com/functions/docs/troubleshooting#build-service-account. Would you like to continue?default cancel_on_no prompt_string)rr project_utilGetProjectNumber_GCE_SAformatr GetIamPolicy ParseProjectapitools_exceptionsHttpForbiddenErrorrwarning _BUILDER_ROLEbindingsmembersrole _EDITOR_ROLEr CanPromptPromptContinue)rrbuild_service_accountr" iam_policyaccount_stringbindingcontained_roless r2ValidateDefaultBuildServiceAccountAndPromptWarningr>=sj"7%j9 00<.gnnNnKK ,,  # #J /j ''<&=>N"***G __ ,  * _,  /  " "56K5LM""/1**8)9:- -  # 0 -3L  1 1   kk4       s*DD=D=1D:9D:c[R"U5nU(aUO[RUS9n[R "[R "U55n[XR5(a:[R"USU3SUS9 [RRS5 gg![Ra [R"SUU[ 5 gf=f)azValidates trigger service account has route.invoker permission on project. If missing, prompt user to add the run invoker role on the function's Cloud Run service. Args: function: the function to add the binding to project_id: the project id to validate trigger_service_account: the trigger service account to validate is_gen2: whether the function is a gen2 function r!r#T) add_bindingis_gen2zRole successfully bound. zYour account does not have permission to check or bind IAM policies to project [%s]. If your function encounters authentication errors, ensure [%s] has the role [%s].N)r)r*r+r,rr-r._ShouldBindInvokerRolerAddOrRemoveInvokerBindingrstatusPrintr/r0r1_RUN_INVOKER_ROLE)functionrtrigger_service_accountrAr"r:s r$ValidateAndBindTriggerServiceAccountrIs" 00<. ! >>> 8 **!!*-JjBB((  34 5   jj34C  / /KK A  sA3B))1CCcSnSU3nURHNnX4R;aMUR[;a gURR S5(aMLSnMP SUS[ S3nU(aSUS[ S [ S 3n[R"5=(a [R"SSUS -S 9nU(d[R"U5 U$) z1Prompts user to bind the invoker role if missing.Fr#zroles/TzYour trigger service account [r$zI] role. This will cause authentication errors when running the function. z] likely lacks the [z] permission, which will cause authentication errors. Since this service account uses a custom role, please verify that the custom role includes this permission. If not, you'll need to either add this permission to the custom role, or grant the [z(] role to the service account directly. zU Do you want to add the invoker binding to the IAM policy of your Cloud Run function?r%) r3r4r5._PREDEFINE_ROLES_WITH_ROUTE_INVOKER_PERMISSION startswithrF_ROUTE_INVOKER_PERMISSIONr r7r8rr1)r:rcustom_role_detectedr;r<r( should_binds rrBrBs$_$56.$$g__,||EE  \\ $ $X . ."% '&78 !"--  ((9:012+,=*=>'  '$$&:+D+D! "",+ KK  r)global)N)F)__doc__rapitools.base.pyrr/!googlecloudsdk.api_lib.cloudbuildr+googlecloudsdk.api_lib.cloudresourcemanagerr$googlecloudsdk.command_lib.functionsr#googlecloudsdk.command_lib.projectsrr)googlecloudsdk.corergooglecloudsdk.core.consoler r2r6rFrKrMr+rrr>rIrBrrrZs| >=D9D#21  ' 2.0 B/3DV  +\)r