;XxSrSSKJr SSKJr SSKJr SSKrSSKJr SSKJ r SSKJ r SSK r SSK r SS K Jr SS K Jr SS K Jr SS K Jr SS K Jr SSK Jr SSKJr SSKJr SSKJr SSKJr "SS\R45r"SS\5r"SS\5r"SS\5r"SS\5r"SS\5r g)z"All the BigQuery CLI IAM commands.)absolute_import)division)print_functionN)Optional)app)flags)client_connection)client_dataset)client_reservation)client_routine) client_table)utils)bigquery_command)bq_cached_client) bq_id_utilsc^^\rSrSrSrS\S\R4U4SjjrSr Sr Sr S r U=r $) _IamPolicyCmd!zCommon superclass for commands that interact with BQ's IAM meta API. Provides common flags, identifier decoding logic, and GetIamPolicy and SetIamPolicy logic. namefvcB>[[U] X5 SUl[R "SSSU-SUS9 [R "SSSU-SUS9 [R "S SS U-US 9 [R "S SS U-US 9 [R "SSSU-US 9 g)zInitialize. Args: name: the command name string to bind to this handler class. fv: the FlagValues flag-registry object. verb: the verb string (e.g. 'Set', 'Get', 'Add binding to', ...) to print in various descriptions. Fdatasetz7%s IAM policy for dataset described by this identifier.d) short_name flag_valuestablez5%s IAM policy for table described by this identifier.t connectionz:%s IAM policy for connection described by this identifier.rroutinez7%s IAM policy for routine described by this identifier. reservationz;%s IAM policy for reservation described by this identifier.N)superr__init__surface_in_shellrDEFINE_booleanselfrrverb __class__s $platform/bq/frontend/commands_iam.pyr#_IamPolicyCmd.__init__(s -'1"D  ADH   ?$F   DtK    ADH    EL c ^[R"URURURUR UR 5(a[R"S5eU(d%[R"SUR<S35eUR(a[R"XS9nU$UR(a[R"XS9nU$UR(a0[R"UU[RR S9nU$UR (a[R""XS9nU$UR (a0[R$"UU[RR S9nU$[R&"XS9n[(R*"U[(R,R.[(R,R0[(R,R2[(R,R44SU<SUR<S3SS 9 U$) NzOCannot specify more than one of -d, -t, --routine, --connection, --reservation.zMust provide an identifier for .) id_fallbacks identifier)r/r0default_locationzInvalid identifier "z" for T)is_usage_error)frontend_utilsValidateAtMostOneSelectedrrrr r!r UsageError _command_namebq_client_utilsGetTableReferenceGetDatasetReferenceGetConnectionReferencebq_flagsLOCATIONvalueGetRoutineReferenceGetReservationReference GetReferencer typecheckApiClientHelperDatasetReferenceTableReferenceRoutineReferenceReservationReference)r'clientr0 references r*GetReferenceFromIdentifier(_IamPolicyCmd.GetReferenceFromIdentifierZs//       NN    NN262D2D F  vv!33iL G !55iD ? !88#,,22i< 3 !55i0 +   !99#,,22i( "..i ))::))88))::))>>  0:4;M;M N  r,c<[U[RR5(a#[R "UR 5US9$[U[RR5(a#[R"UR 5US9$[U[RR5(a#[R"UR5US9$[U[RR5(a#[R "UR 5US9$[U[RR"5(a#[$R&"UR)5US9$[+SR-[/U5S95e)aMGet the IAM policy for a table, dataset, routine or reservation. Args: reference: A DatasetReference, TableReference, ConnectionReference, RoutineReference, or ReservationReference. Returns: The policy object, composed of dictionaries, lists, and primitive types. Raises: RuntimeError: reference isn't an expected type. )iampolicy_clientrH) apiclientrH)rGrH#Unexpected reference type: {r_type}r_type) isinstancerrBrDr get_table_iam_policyGetIAMPolicyApiClientrCr GetDatasetIAMPolicyConnectionReferencer GetConnectionIAMPolicyGetConnectionV1ApiClientrEr GetRoutineIAMPolicyrFr GetReservationIAMPolicyGetReservationApiClient RuntimeErrorformattype)r'rGrHs r*GetPolicyForReference#_IamPolicyCmd.GetPolicyForReferencesY)[88GGHH  . .!779Y I{::KK L L  / /002i I{::NN O O  5 5002i I{::KK L L  / /002i ;..CC   7 7224  -44DO4L r,cF[U[RR5(a$[R "UR 5UUS9$[U[RR5(a$[R"UR 5UUS9$[U[RR5(a$[R"UR5UUS9$[U[RR5(a$[R "UR 5UUS9$[U[RR"5(a$[$R&"UR)5UUS9$[+SR-[/U5S95e)a\Set the IAM policy for a table, dataset, connection, routine, or reservation. Args: reference: A DatasetReference, TableReference, ConnectionReference, RoutineReference, or ReservationReference. policy: The policy object, composed of dictionaries, lists, and primitive types. Raises: RuntimeError: reference isn't an expected type. )rLrHpolicy)rMrHra)rGrHrarNrO)rQrrBrDr set_table_iam_policyrSrCr SetDatasetIAMPolicyrUr SetConnectionIAMPolicyrWrEr SetRoutineIAMPolicyrFr SetReservationIAMPolicyrZr[r\r])r'rGrHras r*SetPolicyForReference#_IamPolicyCmd.SetPolicyForReferencesm)[88GGHH  . .!779 I{::KK L L  / /002 I{::NN O O  5 5002 I{::KK L L  / /002 ;..CC   7 7224 -44DO4L r,)r$)__name__ __module__ __qualname____firstlineno____doc__strr FlagValuesr#rIr^rg__static_attributes__ __classcell__r)s@r*rr!s8 .3.E$4$4.d;z%N..r,rcd^\rSrSrSrS\S\R4U4SjjrS\S\ \ 4Sjr S r U=r $) GetIamPolicyzHget-iam-policy [(-d|-t|-connection|--reservation|-routine)] rrcH>[TU]XS5 URU5 g)NGetr"r#_ProcessCommandRcr'rrr)s r*r#GetIamPolicy.__init__  GTu%2r,r0returnc[RR5nURX!5nUR X#5n[ R "USS9 g)aAGet the IAM policy for a resource. Gets the IAM policy for a dataset, table, routine, connection, or reservation resource, and prints it to stdout. The policy is in JSON format. Usage: get-iam-policy Examples: bq get-iam-policy ds.table1 bq get-iam-policy --project_id=proj -t ds.table1 bq get-iam-policy proj:ds.table1 bq get-iam-policy --reservation proj:ds.reservation1 Arguments: identifier: The identifier of the resource. Presently only table, view, connection, and reservation resources are fully supported. (Last updated: 2025-08-22) prettyjsondefault_formatN)rClientrwrIr^bq_utilsPrintFormattedJsonObject)r'r0rGrH result_policys r* RunWithArgsGetIamPolicy.RunWithArgssK( $ $ ( ( *F//CI..vAM %%lr,rirjrkrlusagernrror#rintrrprqrrs@r*rtrts= X%3E$4$4CHSMr,rtch^\rSrSrSrS\S\R4U4SjjrS\S\S\ \ 4S jr S r U=r $) SetIamPolicyizSset-iam-policy [(-d|-t|-connection|--reservation|-routine)] rrcH>[TU]XS5 URU5 g)NSetrxrzs r*r#SetIamPolicy.__init__r|r,r0filenamer}c([RR5nURX15n[ US5n[ R "U5nURX4U5n[R"USS9 SSS5 g!,(df  g=f)aSet the IAM policy for a resource. Sets the IAM policy for a dataset, table, routine, connection, or reservation resource. After setting the policy, the new policy is printed to stdout. Policies are in JSON format. If the 'etag' field is present in the policy, it must match the value in the current policy, which can be obtained with 'bq get-iam-policy'. Otherwise this command will fail. This feature allows users to prevent concurrent updates. Usage: set-iam-policy Examples: bq set-iam-policy ds.table1 /tmp/policy.json bq set-iam-policy --project_id=proj -t ds.table1 /tmp/policy.json bq set-iam-policy proj:ds.table1 /tmp/policy.json bq set-iam-policy --reservation proj:ds.reservation1 /tmp/policy.json Arguments: identifier: The identifier of the resource. Presently only table, view, routine, connection, and reservation resources are fully supported. (Last updated: 2025-09-05) filename: The name of a file containing the policy in JSON format. rrrN) rrrwrIopenjsonloadrgrr)r'r0rrGrHfile_objrars r*rSetIamPolicy.RunWithArgsss6 $ $ ( ( *F//CI h yy"f00FKm''     s >B Brrrrs@r*rrsD c%3E$4$4"C"3"8C=""r,rcP^\rSrSrSrS\S\RS\4U4SjjrSr U=r $)_IamPolicyBindingCmdi>zCommon superclass for AddIamPolicyBinding and RemoveIamPolicyBinding. Provides the flags that are common to both commands, and also inherits flags and logic from the _IamPolicyCmd class. rrr(c>[[U] XU5 [R"SSSUS9 [R"SSSUS9 [R "SUS9 [R "SUS9 g)Nmembera>The member part of the IAM policy binding. Acceptable values include "user:", "group:", "serviceAccount:", "allAuthenticatedUsers" and "allUsers". "allUsers" is a special value that represents every user. "allAuthenticatedUsers" is a special value that represents every user that is authenticated with a Google account or a service account. Examples: "user:myaccount@gmail.com" "group:mygroup@example-company.com" "serviceAccount:myserviceaccount@sub.example-company.com" "domain:sub.example-company.com" "allUsers" "allAuthenticatedUsers"rrolea&The role part of the IAM policy binding. Examples: A predefined (built-in) BigQuery role: "roles/bigquery.dataViewer" A custom role defined in a project: "projects/my-project/roles/MyCustomRole" A custom role defined in an organization: "organizations/111111111111/roles/MyCustomRole")r"rr#r DEFINE_stringmark_flag_as_requiredr&s r*r#_IamPolicyBindingCmd.__init__Esu .t>   '#&   >" b9 B7r,r) rirjrkrlrmrnrror#rprqrrs@r*rr>s- '83'8E$4$4'8C'8'8r,rct^\rSrSrSrS\S\R4U4SjjrS\S\ \ 4Sjr \ S 5r S rU=r$) AddIamPolicyBindingiqzMadd-iam-policy-binding --member= --role= [(-d|-t)] rrcL>[[U] XSS9 URU5 g)NzAdd binding tor()r"rr#ryrzs r*r#AddIamPolicyBinding.__init__ws' t-d=M-N2r,r0r}c [RR5nURX!5nUR X#5nSUVs/sHoUR 5PM sn;a [ S5eURX@RUR5 URX#U5n[SRURURURUS95 [R"USS9 gs snf)a0Add a binding to a BigQuery resource's policy in IAM. Usage: add-iam-policy-binding --member= --role= One binding consists of a member and a role, which are specified with (required) flags. Examples: bq add-iam-policy-binding \ --member='user:myaccount@gmail.com' \ --role='roles/bigquery.dataViewer' \ table1 bq add-iam-policy-binding \ --member='serviceAccount:my.service.account@my-domain.com' \ --role='roles/bigquery.dataEditor' \ project1:dataset1.table1 bq add-iam-policy-binding \ --member='allAuthenticatedUsers' \ --role='roles/bigquery.dataViewer' \ --project_id=proj -t ds.table1 Arguments: identifier: The identifier of the resource. Presently only table and view resources are fully supported. (Last updated: 2020-08-03) etagPolicy doesn't have an 'etag' field. This is unexpected. The etag is required to prevent unexpected results from concurrent edits.zhSuccessfully added member '{member}' to role '{role}' in IAM policy for {resource_type} '{identifier}': rr resource_typer0rrN)rrrwrIr^lower ValueErrorAddBindingToPolicyrrrgprintr\typenamerrr'r0rGrHrakeyrs r*rAddIamPolicyBinding.RunWithArgs{s< $ $ ( ( *F//CI  ' ' :F V4VciikV44  M  FKK;..v&IM  ; &;;#,,   %%l%5C7cURSS5S:a([SRURSS5S95eURS/5n[ U[ 5(d![SR[ U5S95eUHPn[ U[5(d![S R[ U5S95eURS 5U:XdMP O S U0nURU5 URS /5n[ U[ 5(d![S R[ U5S95eX;aURU5 U$) aAdd a binding to an IAM policy. Args: policy: The policy object, composed of dictionaries, lists, and primitive types. This object will be modified, and also returned for convenience. member: The string to insert into the 'members' array of the binding. role: The role string of the binding to remove. Returns: The same object referenced by the policy arg, after adding the binding. version>Only policy versions up to 1 are supported. version: {version}NonerbindingsNPolicy field 'bindings' does not have an array-type value. 'bindings': {value}r=]At least one element of the policy's 'bindings' array is not an object type. element: {value}rmembersTPolicy binding field 'members' does not have an array-type value. 'members': {value}) getrr\ setdefaultrQlistreprdictappend)rarrrbindingrs r*r&AddIamPolicyBinding.AddBindingToPolicysCzz)Q!# N F6::i8F 9    R0H h % % $ FhF (    & &3f4=f)   V  $ goog  B/G gt $ $ * FgF '    nnV Mr,r)rirjrkrlrrnrror#rrr staticmethodrrprqrrs@r*rrqsR 3E$4$45C5HSM5n::r,rct^\rSrSrSrS\S\R4U4SjjrS\S\ \ 4Sjr \ S 5r S rU=r$) RemoveIamPolicyBindingizPremove-iam-policy-binding --member= --role= [(-d|-t)] rrcL>[[U] XSS9 URU5 g)NzRemove binding fromr)r"rr#ryrzs r*r#RemoveIamPolicyBinding.__init__s. $0 ,1 2r,r0r}c [RR5nURX!5nUR X#5nSUVs/sHoUR 5PM sn;a [ S5eURX@RUR5 URX#U5n[SRURURURUS95 [R"USS9 gs snf)aARemove a binding from a BigQuery resource's policy in IAM. Usage: remove-iam-policy-binding --member= --role= One binding consists of a member and a role, which are specified with (required) flags. Examples: bq remove-iam-policy-binding \ --member='user:myaccount@gmail.com' \ --role='roles/bigquery.dataViewer' \ table1 bq remove-iam-policy-binding \ --member='serviceAccount:my.service.account@my-domain.com' \ --role='roles/bigquery.dataEditor' \ project1:dataset1.table1 bq remove-iam-policy-binding \ --member='allAuthenticatedUsers' \ --role='roles/bigquery.dataViewer' \ --project_id=proj -t ds.table1 Arguments: identifier: The identifier of the resource. Presently only table and view resources are fully supported. (Last updated: 2020-08-03) rrzlSuccessfully removed member '{member}' from role '{role}' in IAM policy for {resource_type} '{identifier}': rrrN)rrrwrIr^rrRemoveBindingFromPolicyrrrgrr\rrrrs r*r"RemoveIamPolicyBinding.RunWithArgss< $ $ ( ( *F//CI  ' ' :F V4VciikV44  M    dii@..v&IM  ; &;;#,,   %%l%5rc 8URSS5S:a([SRURSS5S95eURS/5n[U[5(d![SR[ U5S95eUHn[U[ 5(d![S R[ U5S95eURS 5U:XdMPURS /5n[U[5(d![S R[ U5S95e[U5H@upgXq:XdM XV UVs/sHoRS /5(dMUPM nnX0S'Us s $ M [R"S RXS95es snf)aRemove a binding from an IAM policy. Will remove the member from the binding, and remove the entire binding if its members array is empty. Args: policy: The policy object, composed of dictionaries, lists, and primitive types. This object will be modified, and also returned for convenience. member: The string to remove from the 'members' array of the binding. role: The role string of the binding to remove. Returns: The same object referenced by the policy arg, after adding the binding. rrrrrrrrrrrrz7No binding found for member '{member}' in role '{role}')rr) rrr\rQrrr enumeraterr5) rarrrrrjmember_jbs r*r.RemoveIamPolicyBinding.RemoveBindingFromPolicy3s$zz)Q!# N F6::i8F 9  zz*b)H h % % $ FhF (    & &3f4=f)   V  $++i,'4((.T']+   %W-KA   $,D8auuY/C8HD!): M.#4 ..AHH I  Es >FFr)rirjrkrlrrnrror#rrrrrrprqrrs@r*rrsR 3E$4$4 5C5HSM5n??r,r)!rm __future__rrrrtypingrabslrrr;rclientsr r r r r rr7frontendrrr3r BigqueryCmdrrtrrrrrr,r*rs('% %"&" ,%%,K$00K\ = F)=)X.8=.8f|.|~C1Cr,