M'SrSSKJr SSKJr SSKJr SSKrSSKJr SSKJ r SSK J r SS K J r SS KJr SS KJr SS KJ r SS KJr SS KJ r SS KJr SSKJr SSKJr SSKJr \R>\R@"\RBRD\RBRF5"SS\RH555r%g)zCommand to add project-level and fleet scope-level IAM bindings and create a fleet scope RBAC role binding for an app operator.)absolute_import)division)unicode_literalsN)encoding) projects_api)client)util)base) resources)iam_util) labels_util)log) properties) console_ioc.\rSrSrSr\S5rSrSrg)AddAppOperatorBinding&a Add project-level and fleet scope-level IAM bindings and create a fleet scope RBAC role binding for an app operator principal. One binding consists of an app operator principal (user/group) and a role (view/edit/admin or a custom role). This command sets up the different permissions required for an app operator, including usage of fleet scopes, connect gateway, logging, and metrics. The authoritative list for adding the permissions is the existing RBAC role bindings under the specified scope. This command can fail for the following reasons: * The scope specified does not exist. * The user does not have access to the specified scope. * The principal specified already has another binding for the scope. ## EXAMPLES The following command: $ {command} SCOPE --role=view --group=people@google.com --project=PROJECT_ID * adds IAM policy binding: roles/gkehub.scopeViewer on `SCOPE` * adds IAM policy binding: roles/gkehub.scopeViewerProjectLevel on `PROJECT_ID` * adds IAM policy binding: roles/logging.viewAccessor on `PROJECT_ID` with condition where bucket corresponds to `SCOPE` * creates fleet scope RBAC role binding: role `view` with a random ID for group `people@google.com`. --- The following command: $ {command} SCOPE --role=edit --user=person@google.com --project=PROJECT_ID * adds IAM policy binding: roles/gkehub.scopeEditor on `SCOPE` * adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on `PROJECT_ID` * adds IAM policy binding: roles/logging.viewAccessor on `PROJECT_ID` with condition where bucket corresponds to `SCOPE` * creates fleet scope RBAC role binding: role `edit` with a random ID for user `person@google.com`. --- The following command: $ {command} SCOPE --role=admin --user=person@google.com --project=PROJECT_ID * adds IAM policy binding: roles/gkehub.scopeAdmin on `SCOPE` * adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on `PROJECT_ID` * adds IAM policy binding: roles/logging.viewAccessor on `PROJECT_ID` with condition where bucket corresponds to `SCOPE` * creates fleet scope RBAC role binding: role `admin` with a random ID for user `person@google.com`. --- The following command: $ {command} SCOPE --custom-role=my-custom-role --user=person@google.com --project=PROJECT_ID * adds IAM policy binding: roles/gkehub.scopeViewer on `SCOPE` * adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on `PROJECT_ID` * adds IAM policy binding: roles/logging.viewAccessor on `PROJECT_ID` with condition where bucket corresponds to `SCOPE` * creates fleet scope RBAC role binding: role `my-custom-role` with a random ID for user `person@google.com`. For any tailored IAM permissions required when using a custom role, the user or group can separately be granted additional IAM permissions on the project. c~[R"US[RUR 5SSS9 UR SS9nUR S[SS9 UR S [S S9 UR SS9nUR S /S QS S9 UR S[SS9 [R"U5 g)NSCOPEz>Name of the fleet scope for adding IAM and RBAC role bindings.T) scope_helprequired)rz--userzUser for the role binding.)typehelpz--groupzGroup for the role binding.z--role)admineditviewz;Predefined role to assign to principal (admin, edit, view).)choicesrz --custom-rolez#Custom role to assign to principal.) r AddScopeResourceArgapi_util VERSION_MAP ReleaseTrackadd_mutually_exclusive_group add_argumentstrr AddCreateLabelsFlags)clsparsergrouproledefs >lib/surface/container/fleet/scopes/add_app_operator_binding.pyArgsAddAppOperatorBinding.Argsus !!S--/0 L  / / / >E   )    * 1141@G ) J    2 $$V,c 4 URnUc2[RRRR 5n[ R "UR5S9nURRR5nUR5nUR5n[R"URUR 5nUR"bA[R$"UR"5n[R&"UR"5n O@[R$"UR(5n[R&"UR(5n UR"n UR+X%5n U Hn U RUR:XdMU R UR :XdM;U R(R,(a2[.R0"U R(5SR35n OU R(R4n [6R8"SR;UU UU R<55 g U (aU n O UR(n [>R@"5(a([>RB"SR;UUU UUU S9SSS9 [DRF"U5n[HRJ"UUU 5 [RL"X%5n[NRP"U[NRR5 [HRT"UUS U5 [6RV"S 5 URYU5n[NRZ"[\R^"UR55R`UUU5 URcUU5 [6RV"S 5 US -S Re[gS5Vs/sHn[hRj"S5PM sn5-n[lRn"URpS9nURsURtRvRxS5R{5nUR}UUR(U URUR US9$s snf)N) release_trackpredefinedRolezQ`{}` already has role `{}` for scope `{}` via an existing RBAC role binding: `{}`agThe command: * adds IAM policy binding: `{scope_role}` on scope `{scope}` * adds IAM policy binding: `{proj_role}` on project `{proj}` * adds IAM policy binding: `roles/logging.viewAccessor` on project `{proj}` with a condition where the bucket corresponds to scope `{scope}` * creates a fleet scope RBAC role binding: role `{arg_role}` for `{member}`)scopeprojarg_rolemember scope_role proj_rolezDo you want to continueT)message prompt_string cancel_on_nozroles/logging.viewAccessorz Added project-level IAM bindingszAdded scope-level IAM bindingz/rbacrolebindings/abcdef0123456789) additions)namerole custom_roleuserr(labels)?projectrVALUEScoreGetr FleetClientr!CONCEPTSr1ParseName RelativeName scopes_utilIamMemberFromRbacrAr(r@IamScopeLevelScopeRoleFromRbac IamProjectLevelScopeRoleFromRbacr?ListScopeRBACRoleBindingsr0rMessageToPyValuelower customRolererrorformatr>r CanPromptPromptContinue projects_util ParseProjectrAddIamPolicyBindingScopeLogViewConditionr ValidateConditionArgumentCONDITION_FORMAT_EXCEPTION AddIamPolicyBindingWithConditionPrintGetScopeIamPolicyAddBindingToIamPolicyrGetMessagesModuleBindingSetScopeIamPolicyjoinrangerandomchoicer DiffrBApplymessagesRBACRoleBinding LabelsValue GetOrNoneCreateScopeRBACRoleBinding)selfargsrC fleetclient scope_argscope_id scope_path iam_memberiam_scope_level_roleiam_project_level_roler@ scope_rrbs existing_rrb printed_role project_ref conditionscope_iam_policy_ scope_rrb labels_diffrBs r*RunAddAppOperatorBinding.RunsllG!!&&..224g$$43D3D3FGK ##))+I~~H'')J..tyy$**EJ #(GG    +KK    )GG )) +KK )) ""K66wIJ"   dii 'L,>,>$**,L    + +!22<3D3DE EG &**55,  ""(&!! #  %#* lYYl #F '#12 #2%* ,,W5K$$ 11'DI &&86611$  II01"44Z@ """"4#4#4#67??  !!*.>?II-.    ''eBiHi6==!34iH I J ""T[[9K   ,,88$ik   1 1  YY YYjj 2  Is R N) __name__ __module__ __qualname____firstlineno____doc__ classmethodr+r__static_attributes__rr-r*rr&s$JX - -Dwr-r)&r __future__rrrrgapitools.base.pyr+googlecloudsdk.api_lib.cloudresourcemanagerr&googlecloudsdk.api_lib.container.fleetrr rgooglecloudsdk.callioper *googlecloudsdk.command_lib.container.fleetr 1googlecloudsdk.command_lib.container.fleet.scopesrLgooglecloudsdk.command_lib.iamr #googlecloudsdk.command_lib.projectsrX$googlecloudsdk.command_lib.util.argsr googlecloudsdk.corerrgooglecloudsdk.core.consolerDefaultUniverseOnly ReleaseTracksr!ALPHABETA CreateCommandrrr-r*rsF&' %D9C(@Q3E<#*2D%%++T->->-C-CDgD..gEgr-