diff --git a/iam/api-client/access.py b/iam/api-client/access.py index cd7930b4944..d7cdbd4f72a 100644 --- a/iam/api-client/access.py +++ b/iam/api-client/access.py @@ -69,6 +69,17 @@ def modify_policy_add_role(policy, role, member): # [END iam_modify_policy_add_role] +# [START iam_modify_policy_remove_member] +def modify_policy_remove_member(policy, role, member): + """Removes a member from a role binding.""" + binding = next(b for b in policy['bindings'] if b['role'] == role) + if 'members' in binding and member in binding['members']: + binding['members'].remove(member) + print(binding) + return policy +# [END iam_modify_policy_remove_member] + + # [START iam_set_policy] def set_policy(project_id, policy): """Sets IAM policy for a project.""" @@ -110,6 +121,13 @@ def main(): modify_role_parser.add_argument('role') modify_role_parser.add_argument('member') + # Modify: remove member + modify_member_parser = subparsers.add_parser( + 'modify_member', help=get_policy.__doc__) + modify_member_parser.add_argument('project_id') + modify_member_parser.add_argument('role') + modify_member_parser.add_argument('member') + # Set set_parser = subparsers.add_parser( 'set', help=set_policy.__doc__) @@ -124,6 +142,8 @@ def main(): set_policy(args.project_id, args.policy) elif args.command == 'add_member': modify_policy_add_member(args.policy, args.role, args.member) + elif args.command == 'remove_member': + modify_policy_remove_member(args.policy, args.role, args.member) elif args.command == 'add_binding': modify_policy_add_role(args.policy, args.role, args.member) diff --git a/iam/api-client/access_test.py b/iam/api-client/access_test.py index eb95f9398ea..fc73474c87b 100644 --- a/iam/api-client/access_test.py +++ b/iam/api-client/access_test.py @@ -13,17 +13,43 @@ # limitations under the License. import os +import random import access +import service_accounts def test_access(capsys): - project = os.environ['GCLOUD_PROJECT'] + # Setting up variables for testing + project_id = os.environ['GCLOUD_PROJECT'] - policy = access.get_policy(project) + # specifying a sample role to be assigned + gcp_role = 'roles/owner' + + # section to create service account to test policy updates. + rand = str(random.randint(0, 1000)) + name = 'python-test-' + rand + email = name + '@' + project_id + '.iam.gserviceaccount.com' + member = 'serviceAccount:' + email + service_accounts.create_service_account( + project_id, name, 'Py Test Account') + + policy = access.get_policy(project_id) + out, _ = capsys.readouterr() + assert u'etag' in out + + policy = access.modify_policy_add_role(policy, gcp_role, member) out, _ = capsys.readouterr() - assert 'etag' in out + assert u'etag' in out - policy = access.set_policy(project, policy) + policy = access.modify_policy_remove_member(policy, gcp_role, member) out, _ = capsys.readouterr() - assert 'etag' in out + assert 'iam.gserviceaccount.com' in out + + policy = access.set_policy(project_id, policy) + out, _ = capsys.readouterr() + assert u'etag' in out + + # deleting the service account created above + service_accounts.delete_service_account( + email) diff --git a/iam/api-client/grantable_roles.py b/iam/api-client/grantable_roles.py index e5986e7e1e7..ec8e87706b9 100644 --- a/iam/api-client/grantable_roles.py +++ b/iam/api-client/grantable_roles.py @@ -34,7 +34,8 @@ def view_grantable_roles(full_resource_name): }).execute() for role in roles['roles']: - print('Title: ' + role['title']) + if 'title' in role: + print('Title: ' + role['title']) print('Name: ' + role['name']) print('Description: ' + role['description']) print(' ') diff --git a/iam/api-client/quickstart.py b/iam/api-client/quickstart.py index 932e6832010..d38c601dee0 100644 --- a/iam/api-client/quickstart.py +++ b/iam/api-client/quickstart.py @@ -41,7 +41,8 @@ def quickstart(): for role in roles: print('Title: ' + role['title']) print('Name: ' + role['name']) - print('Description: ' + role['description']) + if 'description' in role: + print('Description: ' + role['description']) print('') # [END iam_quickstart]