IAM: added snippet for remove member

iam/api-client/access.py

@@ -69,6 +69,16 @@ def modify_policy_add_role(policy, role, member):
 # [END iam_modify_policy_add_role]
 
 
+# [START iam_modify_policy_remove_member]
+def modify_policy_remove_member(policy, role, member):
+    """Removes a  member from a role binding."""
+    binding = next(b for b in policy['bindings'] if b['role'] == role)
+    binding['members'].remove(member)
+    print(binding)
+    return policy
+# [END iam_modify_policy_remove_member]
+
+
 # [START iam_set_policy]
 def set_policy(project_id, policy):
     """Sets IAM policy for a project."""
@@ -110,6 +120,13 @@ def main():
     modify_role_parser.add_argument('role')
     modify_role_parser.add_argument('member')
 
+    # Modify: remove member
+    modify_member_parser = subparsers.add_parser(
+        'modify_member', help=get_policy.__doc__)
+    modify_member_parser.add_argument('project_id')
+    modify_member_parser.add_argument('role')
+    modify_member_parser.add_argument('member')
+
     # Set
     set_parser = subparsers.add_parser(
         'set', help=set_policy.__doc__)
@@ -124,6 +141,8 @@ def main():
         set_policy(args.project_id, args.policy)
     elif args.command == 'add_member':
         modify_policy_add_member(args.policy, args.role, args.member)
+    elif args.command == 'remove_member':
+        modify_policy_remove_member(args.policy, args.role, args.member)
     elif args.command == 'add_binding':
         modify_policy_add_role(args.policy, args.role, args.member)
 

iam/api-client/access_test.py

@@ -13,17 +13,43 @@
 # limitations under the License.
 
 import os
+import random
 
 import access
+import service_accounts
 
 
 def test_access(capsys):
-    project = os.environ['GCLOUD_PROJECT']
+    # Setting up variables for testing
+    project_id = os.environ['GCLOUD_PROJECT']
 
-    policy = access.get_policy(project)
+    # specifying a sample role to be assigned
+    gcp_role = 'roles/owner'
+
+    # section to create service account to test policy updates.
+    rand = str(random.randint(0, 1000))
+    name = 'python-test-' + rand
+    email = name + '@' + project_id + '.iam.gserviceaccount.com'
+    member = 'serviceAccount:' + email
+    service_accounts.create_service_account(
+        project_id, name, 'Py Test Account')
+
+    policy = access.get_policy(project_id)
+    out, _ = capsys.readouterr()
+    assert 'etag' in out
+
+    policy = access.modify_policy_add_role(policy, gcp_role, member)
     out, _ = capsys.readouterr()
     assert 'etag' in out
 
-    policy = access.set_policy(project, policy)
+    policy = access.modify_policy_remove_member(policy, gcp_role, member)
     out, _ = capsys.readouterr()
     assert 'etag' in out
+
+    policy = access.set_policy(project_id, policy)
+    out, _ = capsys.readouterr()
+    assert 'etag' in out
+
+    # deleting the service account created above
+    service_accounts.delete_service_account(
+        email)