SrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKJ r SSK J r SSK Jr SSK J r SS KJr SS KJr SS KJr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJ r SSK!r!\RD"SS5r#\#RHRJr&\#RNRPr)\#RTRPr+\#RXRZr.\#R^R`r1Sr2Sr3Sr4\Rj"SS5r6\Rj"SS5r7Sr8SS0r9\:"5r;SS0rrZS?r[S@r\SsSAjr]SBr^SCr_SDr`SEraSFrbSGrcSHrdSIreSJrf\74SKjrgSLrhSMriSNrjSOrkStSPjrlSuSQjrmSuSRjrnSvSSjroSTrpSUrqSVrrSWrsSXrtSYruSZrvS[rwS\rxS]ryS^rzS_r{SwS`jr|SxSajr}SwSbjr~ScrSdrSySejrSfrSgrShrSirSjrSkrSlrSmrg)zz,General IAM utilities used by the Cloud SDK.)absolute_import)division)unicode_literalsN)messages)encoding)apis) arg_parsers) exceptions) completers)log) properties) resources)yaml) console_io)filesiamv1ziam.projects.serviceAccountsz8table(displayName:label="DISPLAY NAME", email, disabled)a table( name.scope(keys):label=KEY_ID, validAfterTime:label=CREATED_AT, validBeforeTime:label=EXPIRES_AT, disabled:label=DISABLED, disable_reason:label=DISABLE_REASON, extended_status:label=EXTENDED_STATUS ) conditionzcondition must be either `None` or a list of key=value pairs. If not `None`, `expression` and `title` are required keys. Example: --condition=expression=[expression],title=[title],description=[description]zcondition-from-filezcondition-from-file must be a path to a YAML or JSON file containing the condition. `expression` and `title` are required keys. `description` is optional. To specify a `None` condition, use --condition=None.AllNonecU[:H$N)_ALL_CONDITIONSrs .lib/googlecloudsdk/command_lib/iam/iam_util.py_IsAllConditionsrWs o %%c\rSrSrSrSrg)IamEtagReadError[z8IamEtagReadError is raised when etag is badly formatted.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__r"rrr r [@rr c\rSrSrSrSrg)IamPolicyBindingNotFound_z:Raised when the specified IAM policy binding is not found.r"Nr#r"rrr,r,_sBrr,c\rSrSrSrSrg)IamPolicyBindingInvalidErrorcz8Raised when the specified IAM policy binding is invalid.r"Nr#r"rrr/r/cr*rr/c\rSrSrSrSrg)IamPolicyBindingIncompleteErrorgz;Raised when the specified IAM policy binding is incomplete.r"Nr#r"rrr2r2gsCrr2cxSRUS9nSU;aUS- nU(dUS- nURSSUUS/S 9 g ) z'Create --member flag and add to parser.zThe principal {verb}. Should be of the form `user|group|serviceAccount:email` or `domain:domain`. Examples: `user:test-user@gmail.com`, `group:admins@example.com`, `serviceAccount:test123@example.domain.com`, or `domain:example.domain.com`. )verbremovez Deleted principals have an additional `deleted:` prefix and a `?uid=UID` suffix, where ``UID'' is a unique identifier for the principal. Example: `deleted:user:test-user@gmail.com?uid=123456789012345678901`. a@ Some resources also accept the following special values: * `allUsers` - Special identifier that represents anyone who is on the internet, with or without a Google account. * `allAuthenticatedUsers` - Special identifier that represents anyone who is authenticated with a Google account or a service account. z--member PRINCIPALz --principal)metavarrequiredhelpsuggestion_aliasesN)format add_argument)parserr5hide_special_member_typesr9help_strs r AddMemberFlagrAksm  6t6     H #   H  ' *rcR[[[SS.n[R"USS9$)N) expressiontitle descriptionrT)specallow_key_only)strr ArgDict)condition_specs r_ConditionArgDictrKs* .   . FFrc$SRUS9nU$)z"Get the help text for --condition.a{intro} When using the `--condition` flag, include the following key-value pairs: *expression*::: (Required) Condition expression that evaluates to True or False. This uses a subset of Common Expression Language syntax. If the condition expression includes a comma, use a different delimiter to separate the key-value pairs. Specify the delimiter before listing the key-value pairs. For example, to specify a colon (`:`) as the delimiter, do the following: `--condition=^:^title=TITLE:expression=EXPRESSION`. For more information, see https://cloud.google.com/sdk/gcloud/reference/topic/escaping. *title*::: (Required) A short string describing the purpose of the expression. *description*::: (Optional) Additional description for the expression. )intror<)rM help_texts r_ConditionHelpTextrPs" " 66 # $ rcSn[U5nSnUR5nURS[5SUS9 URS[R "5US9 g) -Create flags for condition and add to parser.aA condition to include in the binding. When the condition is explicitly specified as `None` (`--condition=None`), a binding without a condition is added. When the condition is specified and is not `None`, `--role` cannot be a basic role. Basic roles are `roles/editor`, `roles/owner`, and `roles/viewer`. For more on conditions, refer to the conditions overview guide: https://cloud.google.com/iam/docs/conditions-overvieww Path to a local JSON or YAML file that defines the condition. To see available fields, see the help for `--condition`. --condition KEY=VALUE)typer8r:--condition-from-filerVr:NrPadd_mutually_exclusive_groupr=rKr FileContents)r>condition_introhelp_str_conditionhelp_str_condition_from_filecondition_groups r*_AddConditionFlagsForAddBindingToIamPolicyr`sw9/*/:"<779/       # # % ')rcSn[U5nSnSnUR5nURS[5SUUS9 URS[R "5US9 URS S US 9 g ) rRaThe condition of the binding that you want to remove. When the condition is explicitly specified as `None` (`--condition=None`), a binding without a condition is removed. Otherwise, only a binding with a condition that exactly matches the specified condition (including the optional description) is removed. For more on conditions, refer to the conditions overview guide: https://cloud.google.com/iam/docs/conditions-overviewrSzR Remove all bindings with this role and principal, irrespective of any conditions.rTrU)rVr8 completerr:rWrXz--all store_true)actionr:NrY)r>condition_completerr\r]r^help_str_condition_allr_s r/_AddConditionFlagsForRemoveBindingFromIamPolicyrgs9/*/:"<779/  #    # # % ')  l)?ArcSU;aSU;d SU;dSU;aUegURS5(aURS5(dUeg)NrrCrErD)get)r exceptions rValidateConditionArgumentrksU y !]i%?9 o  == & &immG.D.D o/Ercp/SQn[U5(a"[U5(dX;a [S5eggg)N) roles/editorz roles/ownerz roles/viewerz|Binding with a condition and a basic role is not allowed. Basic roles are `roles/editor`, `roles/owner`, and `roles/viewer`.)_ConditionIsSpecified_IsNoneConditionr/)rroleprimitive_roless r'ValidateMutexConditionAndPrimitiveRolesrrsCC/I&&/? /J/J  &  0K&rcF[U5n[XR5 U$)zFExtract IAM condition from arguments and validate conditon/role mutex.)ValidateAndExtractConditionrrrpargsrs r$ValidateAndExtractConditionMutexRolerws)$/)))YY? rcSnURS5(a&[UR[5 URnURS5(a[ UR 5nU$)z%Extract IAM condition from arguments.Nrcondition_from_file) IsSpecifiedrkrCONDITION_FORMAT_EXCEPTIONParseYamlOrJsonConditionryrus rrtrtsX) k""dnn.HII +,,()A)ABI rc&URSSSS9 g)zAdds the IAM policy file argument to the given parser. Args: parser: An argparse.ArgumentParser-like object to which we add the argss. Raises: ArgumentError if one of the arguments is already defined in the parser. policy_file POLICY_FILEa* Path to a local JSON or YAML formatted file containing a valid policy. The output of the `get-iam-policy` command is a valid file, as is any JSON or YAML file conforming to the structure of a [Policy](https://cloud.google.com/iam/reference/rest/v1/Policy). )r8r:N)r=)r>s rAddArgForPolicyFilers"    rcjSnURSSXS9 [USU5 U(a [U5 gg)a"Adds the IAM policy binding arguments for role and members. Args: parser: An argparse.ArgumentParser-like object to which we add the argss. role_completer: A command_lib.iam.completers.IamRolesCompleter class to complete the `--role` flag value. add_condition: boolean, If true, add the flags for condition. hide_special_member_types: boolean. If true, help text for member does not include special values `allUsers` and `allAuthenticatedUsers`. Raises: ArgumentError if one of the arguments is already defined in the parser. z Role name to assign to the principal. The role name is the complete path of a predefined role, such as `roles/logging.viewer`, or the role ID for a custom role, such as `organizations/{ORGANIZATION_ID}/roles/logging.viewer`. --roleTr9rbr:zto add the binding forN)r=rAr`)r>role_completer add_conditionr?rOs rAddArgsForAddIamPolicyBindingr%sD$)  I02KL.v6rcdURSSUSS9 [USU5 U(a [XS9 gg)ahAdds the IAM policy binding arguments for role and members. Args: parser: An argparse.ArgumentParser-like object to which we add the args. role_completer: A command_lib.iam.completers.IamRolesCompleter class to complete the --role flag value. add_condition: boolean, If true, add the flags for condition. condition_completer: A completer to complete the condition flag value. hide_special_member_types: boolean. If true, help text for member does not include special values `allUsers` and `allAuthenticatedUsers`. Raises: ArgumentError if one of the arguments is already defined in the parser. rTz&The role to remove the principal from.rzto remove the binding for)reN)r=rArg)r>rrrer?s r AddArgsForRemoveIamPolicyBindingrEsF&  3 5 35NO39rcPURH&nURU:XdMX$R;dM& g URH0nURU:XdMURRU5 g URRU"U/SR U5S95 g)aGiven an IAM policy, add new bindings as specified by args. An IAM binding is a pair of role and member. Check if the arguments passed define both the role and member attribute, create a binding out of their values, and append it to the policy. Args: binding_message_type: The protorpc.Message of the Binding to create policy: IAM policy to which we want to add the bindings. member: The member to add to IAM policy. role: The role the member should have. Returns: boolean, whether or not the policy was updated. FTz{0})membersrp)bindingsrprappendr<)binding_message_typepolicymemberrpbindings rAddBindingToIamPolicyrcs*g||t ?? "!g||t ooV$ !  //F8%,,t2DEG rc"USL=(a SU;$)z#When user specify --condition=None.Nrr"rs rroros $  66Y#66rc USL$)zWhen --condition is specified.Nr"rs rrnrns $ rc[U5(a][U5(dM[R"5(d Sn[ U5e[ U5n[ U[5 [XT5 [U5(d6[U5(a&[U5(d[R"S5 [U5(aSOUn[UXUXE5 g)a Given an IAM policy, add a new role/member binding with condition. An IAM binding is a pair of role and member with an optional condition. Check if the arguments passed define both the role and member attribute, create a binding out of their values, and append it to the policy. Args: binding_message_type: The protorpc.Message of the Binding to create. condition_message_type: the protorpc.Message of the Expr. policy: IAM policy to which we want to add the bindings. member: The member of the binding. role: The role the member should have. condition: The condition of the role/member binding. Raises: IamPolicyBindingIncompleteError: when user adds a binding without specifying --condition to a policy containing conditions in the non-interactive mode. zAdding a binding without specifying a condition to a policy containing conditions is prohibited in non-interactive mode. Run the command again with `--condition=None`zAdding binding with condition to a policy without condition will change the behavior of add-iam-policy-binding and remove-iam-policy-binding commands.N) _PolicyContainsConditionrnr CanPromptr2(_PromptForConditionAddBindingToIamPolicyrkr{rrror warning#_AddBindingToIamPolicyWithCondition)rcondition_message_typerrrprmessages r"AddBindingToIamPolicyWithConditionrs*f%%.CI.N.N    ! ! @ ,G 448@Ii)CD+I< "6 * *I&&/? /J/JKK67'y11dy)%&:&%_ConditionsInPolicy..s!r)key) rrrpr_ConditionToStringitemssortedr_NONE_CONDITION)rrrp conditionsrr contain_none condition_strs r_ConditionsInPolicyrs*g&OO3$,:>,,:N##i2;#I./ ! , zL60:0@0@0BD0B,M*0B Djn5*v/0  Ds7B4c Ucg/SQn/nUHGn[X5cMURSRUR5[X5S95 MI SR U5$)NrrCrDrEz {key}={value})rvalue, )getattrrr<upperjoin)rkeys key_valuesrs rrrsk  /$* cy*..iik!8/:; : rc[U5nU(a#USSS:waURS[45 URS[45 U$)aoThe choices in a prompt for condition when adding binding to policy. All conditions in the policy will be returned. Two more choices (i.e. `None` and `Specify a new condition`) are appended. Args: policy: the IAM policy which the binding is added to. Returns: a list of conditions appearing in policy plus the choices of `None` and `Specify a new condition`. rrzSpecify a new condition)rrr_NEW_CONDITION)rrs r%PromptChoicesForAddBindingToIamPolicyrsN#6**JrN1%/v/0 .?@ rcZ[XU5nU(aURS[45 U$)aSThe choices in a prompt for condition when removing binding from policy. Args: policy: the IAM policy which the binding is removed from. member: the member of the binding to be removed. role: the role of the binding to be removed. Returns: a list of conditions from the policy whose bindings contain the given member and role. zall conditions)rrr)rrrprs r*PromptChoicesForRemoveBindingFromIamPolicyrs-#648*'9: rcd[U[5(aU$0nSHn[X5X'M U$)Nr) isinstancedictr)rreturn_conditionrs r_ToDictConditionrs9 4   3c#I34 rcSn[U5nUVs/sHo3SPM nn[R"XAS9nU[U5S- :Xa [ 5$[ X%S5$s snf)z0Prompt user for a condition when adding binding.zThe policy contains bindings with conditions, so specifying a condition is required when adding a binding. Please specify a condition.r prompt_string)rr PromptChoicelen_PromptForNewConditionr)rprompt_messagerccondition_keyscondition_indexs rrrsp;.5V<*",-*QaD*.-++4/J!++ ! ## *5a8 99 .sA"c[XU5nU(d [S5eSnUVs/sHoUSPM nn[R"XdS9nU[ U5S- :Xa[ $[ X7S5$s snf)z2Prompt user for a condition when removing binding.?Policy binding with the specified principal and role not found!zThe policy contains bindings with conditions, so specifying a condition is required when removing a binding. Please specify a condition.rrr)rr,rrrrr)rrrprrrrrs r-_PromptForConditionRemoveBindingFromIamPolicyr)s9&$O*  "  ;.#--*QaD*.-++4/J!++  *5a8 99 .sA1cVSn[R"U5n[5"U5nU$)NzCondition is either `None` or a list of key=value pairs. If not `None`, `expression` and `title` are required keys. Example: --condition=expression=[expression],title=[title],description=[description]. Specify the condition)rPromptWithDefaultrK)rcondition_stringcondition_dicts rrr<s3:  11.A$&'78. rcUcUcgUbUcgURURS5:H=(aC URURS5:H=(a URURS5:H$)NTFrCrDrE)rCrirDrEbinding_conditioninput_conditions r_EqualConditionsrGs{?#: /"9   & &/*=*=l*K K N  ! !_%8%8%A A N  ' '?+>+>}+M MOrcURHZnURU:XdM[URUS9(dM0X6R;aURR U5 g SnUb5U"UR S5UR S5UR S5S9nURR U"U/SRU5US95 g) zBGiven an IAM policy, add a new role/member binding with condition.rNrCrDrErz{})rrpr)rrprrrrrir<)rrrrrprrcondition_messages rrrQsg||t 0!++Y!H!H  &v& !.==.mmG$MM-02 //(T!2%'(rc@U(dS[U5(aC[U5(d3[R"5(d Sn[ U5e[ XU5nU(d[ U5(a [XU5 g[U5(aSOUn[XX#5 g)aGiven an IAM policy, remove bindings as specified by the args. An IAM binding is a pair of role and member with an optional condition. Check if the arguments passed define both the role and member attribute, search the policy for a binding that contains this role, member and condition, and remove it from the policy. Args: policy: IAM policy from which we want to remove bindings. member: The member to remove from the IAM policy. role: The role of the member should be removed from. condition: The condition of the binding to be removed. all_conditions: If true, all bindings with the specified member and role will be removed, regardless of the condition. Raises: IamPolicyBindingNotFound: If specified binding is not found. IamPolicyBindingIncompleteError: when user removes a binding without specifying --condition to a policy containing conditions in the non-interactive mode. a(Removing a binding without specifying a condition from a policy containing conditions is prohibited in non-interactive mode. Run the command again with `--condition=None` to remove a binding without condition or run command with `--all` to remove all bindings of the specified principal and role.N) rrnrrr2rr(_RemoveBindingFromIamPolicyAllConditionsro(_RemoveBindingFromIamPolicyWithCondition)rrrprall_conditionsrs r'RemoveBindingFromIamPolicyWithConditionrhs4 4 +I66    ! ! : ,G 44=I' 22,VTB(33I,VTMrcRSnURHBnX$R:XdMXR;dM%URRU5 SnMD U(d [ S5eURVs/sHoUR(dMUPM snURSS&gs snf)zDRemove all member/role bindings from policy regardless of condition.FTz@Policy bindings with the specified principal and role not found!Nrrprr6r,)rrrpconditions_removedrbs rrrsg ||// 9 ooV$!  "  $*??@?aii?@&//!@s 5B$ B$crURH[nX$R:XdM[URUS9(dM/XR;dM@URR U5 O [ S5eURVs/sHoUR(dMUPM snURSS&gs snf)z>Remove the member/role binding with the condition from policy.rzKPolicy binding with the specified principal, role, and condition not found!N)rrprrrr6r,)rrrprrrs rrrsg !1!++Y"H"H//! ooV$ ! # ) **$*??@?aii?@&//!@s B4B4cPURHnUR(dM g g)aInvestigate if policy has bindings with condition. Given an IAM policy and return True if the policy contains any binding which has a condition. Return False otherwise. Args: policy: IAM policy. Returns: True if policy has bindings with conditions, otherwise False. TF)rr)rrs rrrs&g ! rcpURH&nURU:XdMXR;dM& g g)z6Returns True if policy contains the specified binding.TF)rrpr)rrrprs rBindingInPolicyrs-g||t// 9 ! rcBURHAnURU:XdMXR;dM&URRU5 O Sn[ U5eURVs/sHoUR(dMUPM snURSS&gs snf)a Given an IAM policy, remove bindings as specified by the args. An IAM binding is a pair of role and member. Check if the arguments passed define both the role and member attribute, search the policy for a binding that contains this role and member, and remove it from the policy. Args: policy: IAM policy from which we want to remove bindings. member: The member to remove from the IAM policy. role: The role the member should be removed from. Raises: IamPolicyBindingNotFound: If specified binding is not found. rNr)rrrprrrs rRemoveBindingFromIamPolicyrsy$g||t// 9 ooV$ ! PG "7 ++$*??@?aii?@&//!@s -BBc[R"U5n[R"U5nSR [ UR 555$)zConstruct a FieldMask based on input policy. Args: policy_file_path: Path to the JSON or YAML IAM policy file. Returns: a FieldMask containing policy fields to be modified, based on which fields are present in the input file. ,)rReadFileContentsrloadrrr)policy_file_pathr~rs rConstructUpdateMaskFromPolicyrs?&&'78+ 99[ !& &' ((rct[UU5up#UR(dSn[R"USSS9 U$)aConstruct an IAM Policy protorpc.Message from a JSON/YAML formatted file. Args: policy_file_path: Path to the JSON or YAML IAM policy file. policy_message_type: Policy message type to convert JSON or YAML to. Returns: a protorpc.Message of type policy_message_type filled in from the JSON or YAML policy file. Raises: BadFileException if the JSON or YAML file is malformed. The specified policy does not contain an "etag" field identifying a specific version to replace. Changing a policy without an "etag" can overwrite concurrent policy changes.Replace existing policyTrr cancel_on_noParseYamlOrJsonPolicyFileetagrPromptContinue)rpolicy_message_typer unused_maskmsgs rParsePolicyFilersF22B2EG&  C#<4Q -rcv[UU5up#UR(dSn[R"USSS9 X#4$)aConstruct an IAM Policy protorpc.Message from a JSON/YAML formatted file. Also contructs a FieldMask based on input policy. Args: policy_file_path: Path to the JSON or YAML IAM policy file. policy_message_type: Policy message type to convert JSON or YAML to. Returns: a tuple of (policy, updateMask) where policy is a protorpc.Message of type policy_message_type filled in from the JSON or YAML policy file and updateMask is a FieldMask containing policy fields to be modified, based on which fields are present in the input file. Raises: BadFileException if the JSON or YAML file is malformed. IamEtagReadError if the etag is badly formatted. rrTrr)rrr update_maskrs rParsePolicyFileWithUpdateMaskrsJ"22B2EG&  C#<4Q  rc [R"U5n[R"X5nSR [ UR 555nX44$![a?n[R"SRU[R"U555eSnAf[R[R 4a4n[#SRU[R"U555eSnAff=f)aCreate an IAM Policy protorpc.Message from a YAML or JSON formatted file. Returns the parsed policy object and FieldMask derived from input dict. Args: policy_file_path: Path to the YAML or JSON IAM policy file. policy_message_type: Policy message type to convert YAML to. Returns: a tuple of (policy, updateMask) where policy is a protorpc.Message of type policy_message_type filled in from the JSON or YAML policy file and updateMask is a FieldMask containing policy fields to be modified, based on which fields are present in the input file. Raises: BadFileException if the YAML or JSON file is malformed. IamEtagReadError if the etag is badly formatted. rzKPolicy file [{0}] is not a properly formatted YAML or JSON policy file. {1}NzA C8#:B'C8/C33C8cH[R"U5n[X!5 U$)ajCreate a condition of IAM policy binding from content of YAML or JSON file. Args: condition_file_content: string, the content of a YAML or JSON file containing a condition. file_format_exception: InvalidArgumentException, the exception to throw when condition file is incorrectly formatted. Returns: a dictionary representation of the condition. )rrrk)condition_file_contentfile_format_exceptionrs rr|r|Xs!ii./)I= rc [R"U5nSU;aUSR5US'[R"X5nU$![ a?n[ R"SRU[R"U555eSnAf[R[R4a4n[SRU[R"U555eSnAff=f)a\Construct an IAM Role protorpc.Message from a Yaml formatted file. Args: file_path: Path to the Yaml IAM Role file. role_message_type: Role message type to convert Yaml to. Returns: a protorpc.Message of type role_message_type filled in from the Yaml role file. Raises: BadFileException if the Yaml file is malformed or does not exist. stagez=Role file {0} is not a properly formatted YAML role file. {1}Nz8The etag of role file {0} is not properly formatted. {1})rrrrrrrrr<rrrrrrr ) file_pathrole_message_type role_to_parserpr s rParseYamlToRolerls..+- *7399;M' *  $ $%6 FD + *  , ,GNN s}}Q' ) **  ' ' 8* BII s}}Q' ) ***s#A C+:B'C+7/C&&C+cd[R"U[R5nUR$)zConstruct a TrustStore protorpc.Message from the content of a Yaml file. Args: yaml_dict: YAML file content to parse. Returns: a TrustStore from the parsed YAML file. Raises: DecodeError if the Yaml file content could not be parsed. ) messages_utilDictToMessageWithErrorCheckmsgsX509 trustStore yaml_dictconfigs rParseYamlToTrustStorers&  4 4Y J&   rcd[R"U[R5nUR$)aConstruct a InlineCertificateIssuanceConfig protorpc.Message from the content of a Yaml file. Args: yaml_dict: YAML file content to parse. Returns: a InlineCertificateIssuanceConfig from the parsed YAML file. Raises: DecodeError if the Yaml file content could not be parsed. )rrrWorkloadIdentityPoolinlineCertificateIssuanceConfigrs r0ParseYamlOrJsonToInlineCertificateIssuanceConfigr!s-  4 4** &  / //rcd[R"U[R5nUR$)zConstruct a InlineTrustConfig protorpc.Message from the content of a Yaml file. Args: yaml_dict: YAML file content to parse. Returns: a InlineTrustConfig from the parsed YAML file. Raises: DecodeError if the Yaml file content could not be parsed. )rrrrinlineTrustConfigrs r"ParseYamlOrJsonToInlineTrustConfigr$s-  4 4** &  ! !!rc U(dSU-nU(dSnU(aUS-OSnU(aSOSnSRXP5S[R"S RUUUUUS 95S .$) aReturns a detailed_help for a set-iam-policy command. Args: collection: Name of the command collection (ex: "project", "dataset") example_id: Collection identifier to display in a sample command (ex: "my-project", '1234') example_see_more: Optional "See ... for details" message. If not specified, includes a default reference to IAM managing-policies documentation additional_flags: str, additional flags to include in the example command (after the command name and before the ID of the resource). use_an: If True, uses "an" instead of "a" for the article preceding uses of the collection. Returns: a dict with boilerplate help text for the set-iam-policy command zexample-z See https://cloud.google.com/iam/docs/managing-policies for details of the policy file format and contents. anazSet IAM policy for {0} {1}. {description}z The following command will read an IAM policy from 'policy.json' and set it for {a} {collection} with '{id}' as the identifier: $ {{command}} {flags}{id} policy.json {see_more}) collectionidsee_moreflagsr)brief DESCRIPTIONEXAMPLES)r<textwrapdedent)r+ example_idexample_see_moreadditional_flagsuse_anr)s rGetDetailedHelpForSetIamPolicyr9s. j(J 50@%+Rd#! ( . .q =  // #'$    rc U(aSOSnSnSRXP5SSRXX%S9S.nU(aUS S RXX%S9-US 'S RUS U/5US 'U$) aReturns a detailed_help for an add-iam-policy-binding command. Args: collection: Name of the command collection (ex: "project", "dataset") example_id: Collection identifier to display in a sample command (ex: "my-project", '1234') role: The sample role to use in the documentation. The default of 'roles/editor' is usually sufficient, but if your command group's users would more likely use a different role, you can override it here. use_an: If True, uses "an" instead of "a" for the article preceding uses of the collection. condition: If True, add help text for condition. Returns: a dict with boilerplate help text for the add-iam-policy-binding command r(r)zgSee https://cloud.google.com/iam/docs/managing-policies for details of policy role and principal types.z#Add IAM policy binding for {0} {1}.r*aTo add an IAM policy binding for the role of `{role}` for the user `test-user@gmail.com` on {a} {collection} with identifier `{example_id}`, run: $ {{command}} {example_id} --member='user:test-user@gmail.com' --role='{role}' To add an IAM policy binding for the role of `{role}` to the service account `test-proj1@example.domain.com`, run: $ {{command}} {example_id} --member='serviceAccount:test-proj1@example.domain.com' --role='{role}' To add an IAM policy binding for the role of `{role}` for all authenticated users on {a} {collection} with identifier `{example_id}`, run: $ {{command}} {example_id} --member='allAuthenticatedUsers' --role='{role}' )r+r5rpr)r/r2a To add an IAM policy binding that expires at the end of the year 2018 for the role of `{role}` and the user `test-user@gmail.com` on {a} {collection} with identifier `{example_id}`, run: $ {{command}} {example_id} --member='user:test-user@gmail.com' --role='{role}' --condition='expression=request.time < timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,description=Expires at midnight on 2018-12-31'  r<rr+r5rpr8rr)note detailed_helps r%GetDetailedHelpForAddIamPolicyBindingr@s*d#! 0$ 0 6 6q E    f fJ--0 -j 9=  f D !DM*#iiz)BD(IJ-  rcU(aSOSnSnSRXP5SSRXUS9S.nU(aUS S RXS S9-US 'S RUS U/5US 'U$) aReturns a detailed_help for a remove-iam-policy-binding command. Args: collection: Name of the command collection (ex: "project", "dataset") example_id: Collection identifier to display in a sample command (ex: "my-project", '1234') role: The sample role to use in the documentation. The default of 'roles/editor' is usually sufficient, but if your command group's users would more likely use a different role, you can override it here. use_an: If True, uses "an" instead of "a" for the article preceding uses of the collection. condition: If True, add help text for condition. Returns: a dict with boilerplate help text for the remove-iam-policy-binding command r(r)zdSee https://cloud.google.com/iam/docs/managing-policies for details of policy role and member types.z&Remove IAM policy binding for {0} {1}.r*aTo remove an IAM policy binding for the role of `{role}` for the user `test-user@gmail.com` on {collection} with identifier `{example_id}`, run: $ {{command}} {example_id} --member='user:test-user@gmail.com' --role='{role}' To remove an IAM policy binding for the role of `{role}` from all authenticated users on {collection} `{example_id}`, run: $ {{command}} {example_id} --member='allAuthenticatedUsers' --role='{role}' )r+r5rpr/r2a* To remove an IAM policy binding with a condition of `expression='request.time < timestamp("2019-01-01T00:00:00Z"), title='expires_end_of_2018'`, and description=`Expires at midnight on 2018-12-31` for the role of `{role}` for the user `test-user@gmail.com` on {collection} with identifier `{example_id}`, run: $ {{command}} {example_id} --member='user:test-user@gmail.com' --role='{role}' --condition='expression=request.time < timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2018,description=Expires at midnight on 2018-12-31' To remove all IAM policy bindings regardless of the condition for the role of `{role}` and for the user `test-user@gmail.com` on {collection} with identifier `{example_id}`, run: $ {{command}} {example_id} --member='user:test-user@gmail.com' --role='{role}' --all z roles/browserr;r<r=s r(GetDetailedHelpForRemoveIamPolicyBindingrB/s*d#!* 3 9 9! H   f fE#-& -j 9= f J!JM*"#iiz)BD(IJ-  rc SRUS9$)zReturns a hint message for commands treating service account as a resource. Args: action: the action to take on the service account resource (with necessary prepositions), such as 'add iam policy bindings to'. aEWhen managing IAM roles, you can treat a service account either as a resource or as an identity. This command is to {action} a service account resource. There are other gcloud commands to manage IAM policies for other types of resources. For example, to manage IAM policies on a project, use the `$ gcloud projects` commands.rdrNrDs r GetHintForServiceAccountResourcerErs  fFf+ -rcUS:Xa[R/$US:Xa[R/$US:Xa/$[R/$)aFParses a string into a MANAGED_BY enum. MANAGED_BY is an enum of who manages a service account key resource. IAM will rotate any SYSTEM_MANAGED keys by default. Args: managed_by: A string representation of a MANAGED_BY. Can be one of *user*, *system* or *any*. Returns: A KeyTypeValueValuesEnum (MANAGED_BY) value. usersystemany) MANAGED_BY USER_MANAGEDSYSTEM_MANAGEDKEY_TYPE_UNSPECIFIED) managed_bys rManagedByFromStringrOsN6  # # $$X  % % &&U I  + + ,,rczUS:Xa[R$US:Xa[R$[R$)zParses a string into a KeyType enum. Args: key_str: A string representation of a KeyType. Can be either *p12* or *json*. Returns: A PrivateKeyTypeValueValuesEnum value. p12json) KEY_TYPESTYPE_PKCS12_FILETYPE_GOOGLE_CREDENTIALS_FILETYPE_UNSPECIFIEDkey_strs rKeyTypeFromStringrYs8   % %%&  1 11  % %%rcU[R:XdU[R:XagU[R:XdU[R:Xagg)zGet a string version of a KeyType enum. Args: key_type: An enum of either KEY_TYPES or CREATE_KEY_TYPES. Returns: The string representation of the key_type, such that parseKeyType(keyTypeToString(x)) is a no-op. rQrR unspecified)rSrTCREATE_KEY_TYPESrUkey_types rKeyTypeToStringr_sG),,,"333 I:::$AAA  rcU[R:Xa[R$U[R:Xa[R$[R$)aTransforms between instances of KeyType enums. Transforms KeyTypes into CreateKeyTypes. Args: key_type: A ServiceAccountKey.PrivateKeyTypeValueValuesEnum value. Returns: A IamProjectsServiceAccountKeysCreateRequest.PrivateKeyTypeValueValuesEnum value. )rSrTr\rUrVr]s rKeyTypeToCreateKeyTyperasD+++  , ,,9999  8 88  , ,,rcU[R:Xa[R$U[R:Xa[R$[R$)z!The inverse of *toCreateKeyType*.)r\rTrSrUrVr]s rKeyTypeFromCreateKeyTypercsD !222  % %%#@@@  1 11  % %%rc$SRU5$)z0Turns a project id into a project resource name. projects/{0}rN)projects rProjectToProjectResourceNamergs   w ''rc$SRU5$)z4Turns an email into a service account resource name.zprojects/-/serviceAccounts/{0}rN)emails rEmailToAccountResourceNamerjs ) 0 0 77rc$SRX5$)z3Turns an email and key id into a key resource name.z'projects/-/serviceAccounts/{0}/keys/{1}rN)rirs rEmailAndKeyToResourceNamerls 2 9 9% EErc$SRX5$)z@Turns an email and identity binding id into a key resource name.z3projects/-/serviceAccounts/{0}/identityBindings/{1}rN)riidentity_bindings r%EmailAndIdentityBindingToResourceNameros > E E  rc*URS5S$)z)'..33CC,002/%%8!!/":"B"BAGI(##OOC(Mooc"1%Ga'I!!(HOOG,DEI rc[RRURSUR0[ S9nUR 5$)zTransforms a service account resource into a URL string. Args: resource: The ServiceAccount object Returns: URL to the service account projectsIdr+)rREGISTRYParseuniqueId projectIdSERVICE_ACCOUNTS_COLLECTIONr)resourcerefs rServiceAccountsUriFuncrrsF   ,(:(:;, ! .# rc tURSS[5[RSR U5S9 g)ayAdds the IAM service account name argument that supports tab completion. Args: parser: An argparse.ArgumentParser-like object to which we add the args. action: Action to display in the help message. Should be something like 'to act on' or a relative phrase like 'whose policy to get'. Raises: ArgumentError if one of the arguments is already defined in the parser. service_accountSERVICE_ACCOUNTzThe service account {}. The account should be formatted either as a numeric service account ID or as an email, like this: 123456789876543212345 or my-iam-account@somedomain.com.)r8rVrbr:N)r=GetIamAccountFormatValidatorr IamServiceAccountCompleterr<r>rds rAddServiceAccountNameArgrs<  ' )55 -.4VF^ >rc pURSS[R"5SSSRU5S9 g)a[Adds optional recommend argument to the parser. Args: parser: An argparse.ArgumentParser-like object to which we add the args. action: Action to display in the help message. Should be something like 'deletion' or a noun that describes the action being performed. Raises: ArgumentError if the argument is already defined in the parser. z --recommend BOOLEAN_VALUEFzIf true, checks Active Assist recommendation for the risk level of service account {}, and issues a warning in the prompt. Optional flag is set to false by default. For details see https://cloud.google.com/recommender/docs/change-risk-recommendations)r8rVrr9r:N)r=r ArgBooleanr<rs rAddServiceAccountRecommendArgrs?   ! ! # - v rc`[RRSRX55 g)NzUpdated IAM policy for {} [{}].)r statusPrintr<)rtkinds rLogSetIamPolicyrs **4;;DGHrc0[R"SS5$)z5Checks that provided iam account identifier is valid.z^(.+@.+\..+|[0-9]+)$zNot a valid service account identifier. It should be either a numeric string representing the unique_id or an email of the form: my-iam-account@somedomain.com or my-iam-account@PROJECT_ID.iam.gserviceaccount.com)r RegexpValidatorr"rrrrs  $ $: ;;rc SnU$)z&Checks if the output file is writable.cUS:XaU$[R"USS9nUR5 UsSSS5 $!,(df  g=f![Ran[R "U5eSnAff=f)N-T)private)r FileWritercloserrr)rfr s r IsWritable-GetIamOutputFileValidator..IsWritablesc | l2   E4 0A   1 0 0 ;;2  . .q 112s1A ; A A A A A; A66A;r")rs rGetIamOutputFileValidatorrs 2 rc@URc[S5Ulgg)zUSet the role stage to Alpha if None. Args: role: A protorpc.Message of type Role. Nr})rr)rps rSetRoleStageIfAlphars  ZZ$W-DJrcU(a[RRUSS9$[RRUSS9$)zGet the resource reference of a project or organization. Args: project: A project name string. organization: An organization id string. Returns: The resource reference of the given project or organization. zcloudresourcemanager.projectsrz"cloudresourcemanager.organizations)rrr)rfrs rGetResourceReferencersS    # #; $ ==    # #!E $ GGrcnU(a.SSRU5-S-n[R"USSS9 gg)zPrompt a warning for TESTING permissions with a 'y/n' question. Args: permissions: A list of permissions that need to be warned. zNote: permissions [rz] are in 'TESTING' stage which means the functionality is not mature and they can go away in the future. This can break your workflows, so do not use them in production systems!z*Are you sure you want to make this change?TrN)rrr permissionsrs rTestingPermissionsWarningrsB  499[#9 9 ! !C B rcnU(a.SSRU5-S-n[R"U5 gg)zrPrompt a warning for API diabled permissions. Args: permissions: A list of permissions that need to be warned. z%API is not enabled for permissions: [rzB]. Please enable the corresponding APIs to use those permissions. N)rr rrs rApiDisabledPermissionsWarningrs9 /$))K2HHM NKK r)Tr)NFF)NFNF)NN)F)r'r'r'F)rmFF)zact on) custom roles)rROLE_ID)z to act on)r( __future__rrrrrr3apitools.base.protorpcliterrapitools.base.pyrgooglecloudsdk.api_lib.utilr core_apisrgooglecloudsdk.callioper r rgooglecloudsdk.command_lib.iamr googlecloudsdk.corecore_exceptionsr r rrgooglecloudsdk.core.consolergooglecloudsdk.core.utilrrGetMessagesModuler)IamProjectsServiceAccountsKeysListRequestKeyTypesValueValuesEnumrJCreateServiceAccountKeyRequestPrivateKeyTypeValueValuesEnumr\ServiceAccountKeyrS(IamProjectsServiceAccountsKeysGetRequestPublicKeyTypeValueValuesEnumrxRoleStageValueValuesEnumrrSERVICE_ACCOUNT_FORMATSERVICE_ACCOUNT_KEY_FORMATrr{CONDITION_FILE_FORMAT_EXCEPTION!MAX_LIBRARY_IAM_SUPPORTED_VERSIONrobjectrrrrr r,r/r2rArKrPr`rgrkrrrwrtrrrrrornrrrrrrrrrrrrrrrrrrrrrr|rrr!r$r9r@rBrErOrYr_rarcrgrjrlrorur{rrrrrrrrrrrrrrrr"rrrsL3&' D%9A/C5=#*)$2* ""5$/22JJ  ''EE  # # A A 11NNyy-- <& /GG !#4"L"LE#F %&!$-4.&A,,AC44CA?#8#8AD&BD*BG0)6IMAD ,2605 0""&  3p0>1649 :~3A497< @F - -.&$(-.&( 8 F   .%2 #)( 88(@  >06I;".G$$ r