$LSrSSKJr SSKJr SSKJr SSKrSSKrSSKJr SSK J r SSK J r SS K Jr SS KJr SS KJr SS KJr SS KJr SSKJr SSKJr \"/SQ5r\"SS/5r\"S/5rSrSr Sr!Sr"\ RF"SS\ RH55r%g)z+Command to authorize accounts for transfer.)absolute_import)division)unicode_literalsN) projects_api)apis)base)util)log) properties)creds)store)universe_descriptor)files)z roles/ownerzroles/storagetransfer.adminz#roles/storagetransfer.transferAgentzroles/storage.objectAdminzroles/pubsub.editorzroles/storage.adminz"roles/storagetransfer.serviceAgentzroles/pubsub.publisherzDserviceAccount:service-{project_number}@{service_account_url_suffix}c:U(aSOSnSRX 5$)z=Returns an email format useful for interacting with IAM APIs.serviceAccountuserz{}:{})format) email_stringis_service_account iam_prefixs !lib/surface/transfer/authorize.py_get_iam_prefixed_emailr4s#56*  11c[R"5R[RR R R55RnU(aSUS3nOSn[RUUS9$)zReturns a GCS SA email.zgs-project-accounts.z.iam.gserviceaccount.comz+gs-project-accounts.iam.gserviceaccount.com)project_numberservice_account_url_suffix) rUniverseDescriptorGetr VALUEScoreuniverse_domainproject_prefixSERVICE_ACCOUNT_URL_FORMATr)rr"rs r_get_iam_prefiexed_gcs_sa_emailr$:s~,,. s:   ! ! 1 1 5 5 78~  ~..FG"O # * *#!; + rc[5nURH_n[URVs/sHoUU:HPM sn5(dM2URU;dMDUR UR5 Ma U$s snf)zEReturns roles in IAM policy from roles_set assigned to account email.)setbindingsanymembersroleadd)project_iam_policyprefixed_account_email roles_setrolesbindingms r(_get_existing_transfer_roles_for_accountr2Msh %% $,,g '// B/Q( (/ BCC ! ii - , CsA< c8\rSrSrSrSSS.r\S5rSrSr g ) Authorize]z7Authorize an account for all Transfer Service features.a  Authorize a Google account for all Transfer Service features. This command provides admin and owner rights for simplicity. If that's too much authority for your use case, see custom setups here: https://cloud.google.com/storage-transfer/docs/on-prem-set-up aS To see what Transfer Service IAM roles the account logged into gcloud may be missing, run: $ {command} To add the missing IAM roles, run: $ {command} --add-missing To check a custom service account for missing roles, run: $ {command} --creds-file=path/to/service-account-key.json ) DESCRIPTIONEXAMPLEScFURSSS9 URSSSS9 g)Nz --creds-fileaJThe path to the creds file for an account to authorize. The file should be in JSON format and contain a "type" and "client_email", which are automatically generated for most creds files downloaded from Google (e.g. service account tokens). If this flag is not present, the command authorizes the user currently logged into gcloud.)helpz --add-missing store_truezAdd IAM roles necessary to use all Transfer Service features to the specified account. By default, this command just prints missing roles.)actionr9) add_argument)parsers rArgsAuthorize.Args|s= )* !"rcZ [R"SS5n[R"SS5nUR(a[R R [R RUR55n[R"U5n[R"U5nUSnUSS:Hn[!Xx5n SSS5 Og["R$R&R(R+5n[,R."[0R2"55n[!UU5n ["R$R&R4R+5n [6R8"U 5n [:R<"U 5n [?U W [@5n[RBRESRGW[IU555 [@U- n[RBRESRG[IU555 UVs/sHnU U4PM nn[RBRES 5 URJR+URMU S 95RNn[!US S 9n[?U U[P5n[RBRES RGU[IU555 [PU- n[RBRESRG[IU555 UUVs/sHnUU4PM sn- nURS5[TRRRVLa[6RX"U 5n[[U5n[?U U[\5n[RBRES 5 [RBRESRGU[IU555 [\U- n[RBRESRG[IU555 UUVs/sHnUU4PM sn- nUR^(dU(a[RBRES 5 UR^(aU(a[RBRESRGU55 [:R`"U U5 [RBRES 5 [RBRES5 g[RBRES5 g[RBRES5 gg![[4a&n [R"U 5 [S5eSn A ff=f!,(df  GN_=fs snfs snfs snf)Nstoragetransferv1 client_emailtypeservice_accountzKInvalid creds file format. Run command with "--help" flag for more details.zUser {} has roles: {}zMissing roles: {}z***) projectIdT)rz0Google-managed transfer account {} has roles: {}z/Google-managed service account {} has roles: {}zAdding roles: {}zkDone. Permissions typically take seconds to propagate, but, in some cases, it can take up to seven minutes.zNo missing roles to add.z.Rerun with --add-missing to add missing roles.)1rGetClientInstanceGetMessagesModule creds_fileospathabspath expanduserr FileReaderjsonload ValueErrorKeyErrorr errorrr rr accountrr IsServiceAccountCredentials creds_storeLoadproject projects_util ParseProjectr GetIamPolicyr2EXPECTED_USER_ROLESstatusPrintrlistgoogleServiceAccounts.StoragetransferGoogleServiceAccountsGetRequest accountEmailEXPECTED_P4SA_ROLES ReleaseTrackrALPHAGetProjectNumberr$EXPECTED_GCS_SA_ROLES add_missingAddIamPolicyBindings)selfargsclientmessagesexpanded_file_path file_readerparsed_creds_file account_emailrer- project_idparsed_project_idr,existing_user_rolesmissing_user_rolesr*all_missing_role_tuplestransfer_p4sa_emailprefixed_transfer_p4sa_emailexisting_p4sa_rolesmissing_p4sa_rolesrprefixed_gcs_sa_emailexisting_gcs_sa_rolesmissing_gcs_sa_roless rRun Authorize.Runs  # #$5t H 77??277+=+=doo+NO   . /; P"ii 4 +N;-08%223DEB24GIJJ-44]59:M5NPQ,/BBJJ)006H1IJK4F3E4 &3EJJU 66::??  @ "##/<$;$6 C8:MOJJHOOT"5689,/BBJJ)006H1IJK9K 9K %t,9K  d//555$55jAn=nMF 35JL jju jj < C C#T*?%@  35JJ jj+2248L3MNO4H"4HD $ '4H" 2 jju   " **  .556MN O  + +,=,C E **  5 ! **  A B **  5 6 IJ!3H% P ))A,OP P P 0 /8& ""sBV #U V 'V V#,V(V #!VV  V  VN) __name__ __module__ __qualname____firstlineno____doc__ detailed_help staticmethodr>r__static_attributes__rrrr4r4]s1?   -4"" ZKrr4)&r __future__rrrrOrJ+googlecloudsdk.api_lib.cloudresourcemanagerrgooglecloudsdk.api_lib.utilrgooglecloudsdk.callioper#googlecloudsdk.command_lib.projectsr rYgooglecloudsdk.corer r googlecloudsdk.core.credentialsr r rV'googlecloudsdk.core.universe_descriptorrgooglecloudsdk.core.utilr frozensetr\rcrgr#rr$r2UniverseCompatibleCommandr4rrrrs2&' D,(E#*1@G*! (!"#;"<=J 2 &  IK IKIKr