P lSrSSKJr SSKJr SSKJr SSKJr SSKJ r SSK J r SSK Jr S rS S jrg ) z-Helpers for dealing with the Private CA P4SA.)absolute_import)division)unicode_literals)iam)base) serviceusage) storage_apic[R"5n[R"UR 5U5nUS$)a^Gets (or creates) the P4SA for Private CA in the given project. If the P4SA does not exist for this project, it will be created. Otherwise, the email address of the existing P4SA will be returned. Args: project_ref: resources.Resource reference to the project for the P4SA. Returns: Email address of the Private CA P4SA for the given project. email)privateca_baseGetServiceNamerGenerateServiceIdentityName) project_ref service_nameresponses 0lib/googlecloudsdk/command_lib/privateca/p4sa.py GetOrCreaters< ..0,  1 1+2B2B2D2>@( ' NcSRU5nU(a[R"XS4US4/5 U(a-[R"5nUR X#S4US4/5 gg)aAdds the necessary P4SA role bindings on the given key and bucket. Args: p4sa_email: Email address of the P4SA for which to add role bindings. This can come from a call to GetOrCreate(). kms_key_ref: optional, resources.Resource reference to the KMS key on which to add a role binding. bucket_ref: optional, storage_util.BucketReference to the GCS bucket on which to add a role binding. zserviceAccount:{}zroles/cloudkms.signerVerifierz roles/viewerzroles/storage.objectAdminz roles/storage.legacyBucketReaderN)formatkms_iamAddPolicyBindingsToCryptoKeyr StorageClientAddIamPolicyBindings) p4sa_email kms_key_ref bucket_ref principalclients rAddResourceRoleBindingsr!-sz"((4) (("AB .134  & & (F !<=!CDFGr)NN)__doc__ __future__rrrgooglecloudsdk.api_lib.cloudkmsrr googlecloudsdk.api_lib.privatecarr googlecloudsdk.api_lib.servicesrgooglecloudsdk.api_lib.storager rr!rrr)s*4&':C86$Gr