IAM: added snippet for remove member (#2165)

* added remove member sample
* WPI test cases
* Add IAM remove user snippet

Author: DSdatsme

iam/api-client/access.py

@@ -69,6 +69,17 @@ def modify_policy_add_role(policy, role, member):
 # [END iam_modify_policy_add_role]
 
 
+# [START iam_modify_policy_remove_member]
+def modify_policy_remove_member(policy, role, member):
+    """Removes a  member from a role binding."""
+    binding = next(b for b in policy['bindings'] if b['role'] == role)
+    if 'members' in binding and member in binding['members']:
+        binding['members'].remove(member)
+    print(binding)
+    return policy
+# [END iam_modify_policy_remove_member]
+
+
 # [START iam_set_policy]
 def set_policy(project_id, policy):
     """Sets IAM policy for a project."""
@@ -116,6 +127,13 @@ def main():
     modify_role_parser.add_argument('role')
     modify_role_parser.add_argument('member')
 
+    # Modify: remove member
+    modify_member_parser = subparsers.add_parser(
+        'modify_member', help=get_policy.__doc__)
+    modify_member_parser.add_argument('project_id')
+    modify_member_parser.add_argument('role')
+    modify_member_parser.add_argument('member')
+
     # Set
     set_parser = subparsers.add_parser(
         'set', help=set_policy.__doc__)
@@ -130,6 +148,8 @@ def main():
         set_policy(args.project_id, args.policy)
     elif args.command == 'add_member':
         modify_policy_add_member(args.policy, args.role, args.member)
+    elif args.command == 'remove_member':
+        modify_policy_remove_member(args.policy, args.role, args.member)
     elif args.command == 'add_binding':
         modify_policy_add_role(args.policy, args.role, args.member)
 

iam/api-client/access_test.py

@@ -13,17 +13,43 @@
 # limitations under the License.
 
 import os
+import random
 
 import access
+import service_accounts
 
 
 def test_access(capsys):
-    project = os.environ['GCLOUD_PROJECT']
+    # Setting up variables for testing
+    project_id = os.environ['GCLOUD_PROJECT']
 
-    policy = access.get_policy(project)
+    # specifying a sample role to be assigned
+    gcp_role = 'roles/owner'
+
+    # section to create service account to test policy updates.
+    rand = str(random.randint(0, 1000))
+    name = 'python-test-' + rand
+    email = name + '@' + project_id + '.iam.gserviceaccount.com'
+    member = 'serviceAccount:' + email
+    service_accounts.create_service_account(
+        project_id, name, 'Py Test Account')
+
+    policy = access.get_policy(project_id)
+    out, _ = capsys.readouterr()
+    assert u'etag' in out
+
+    policy = access.modify_policy_add_role(policy, gcp_role, member)
     out, _ = capsys.readouterr()
-    assert 'etag' in out
+    assert u'etag' in out
 
-    policy = access.set_policy(project, policy)
+    policy = access.modify_policy_remove_member(policy, gcp_role, member)
     out, _ = capsys.readouterr()
-    assert 'etag' in out
+    assert 'iam.gserviceaccount.com' in out
+
+    policy = access.set_policy(project_id, policy)
+    out, _ = capsys.readouterr()
+    assert u'etag' in out
+
+    # deleting the service account created above
+    service_accounts.delete_service_account(
+        email)

iam/api-client/grantable_roles.py

@@ -34,7 +34,8 @@ def view_grantable_roles(full_resource_name):
     }).execute()
 
     for role in roles['roles']:
-        print('Title: ' + role['title'])
+        if 'title' in role:
+            print('Title: ' + role['title'])
         print('Name: ' + role['name'])
         print('Description: ' + role['description'])
         print(' ')

iam/api-client/quickstart.py

@@ -41,7 +41,8 @@ def quickstart():
     for role in roles:
         print('Title: ' + role['title'])
         print('Name: ' + role['name'])
-        print('Description: ' + role['description'])
+        if 'description' in role:
+            print('Description: ' + role['description'])
         print('')
     # [END iam_quickstart]