From 36066a8262741bc33bb144b3210c363f6716c725 Mon Sep 17 00:00:00 2001 From: melaniedejong <35782177+melaniedejong@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:46:21 -0800 Subject: [PATCH 1/9] Update modify_policy_add_member.py comments --- .../snippets/modify_policy_add_member.py | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/iam/cloud-client/snippets/modify_policy_add_member.py b/iam/cloud-client/snippets/modify_policy_add_member.py index 8659385a27c0..f79ec5f9cd3d 100644 --- a/iam/cloud-client/snippets/modify_policy_add_member.py +++ b/iam/cloud-client/snippets/modify_policy_add_member.py @@ -22,20 +22,13 @@ def modify_policy_add_member( project_id: str, role: str, member: str ) -> policy_pb2.Policy: """ - Add a member to certain role in project policy. + Add a principal to certain role in project policy. project_id: ID or number of the Google Cloud project you want to use. - role: role to which member need to be added. - member: The principals requesting access. - - Possible format for member: - * user:{emailid} - * serviceAccount:{emailid} - * group:{emailid} - * deleted:user:{emailid}?uid={uniqueid} - * deleted:serviceAccount:{emailid}?uid={uniqueid} - * deleted:group:{emailid}?uid={uniqueid} - * domain:{domain} + role: role to which principal need to be added. + member: The principal requesting access. + + For principal ID formats, see https://cloud.google.com/iam/docs/principal-identifiers """ policy = get_project_policy(project_id) From 9a0e4036bfd4ab2d34efdf545ce3d5ee0798d368 Mon Sep 17 00:00:00 2001 From: melaniedejong <35782177+melaniedejong@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:47:42 -0800 Subject: [PATCH 2/9] Update modify_policy_remove_member.py --- .../snippets/modify_policy_remove_member.py | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/iam/cloud-client/snippets/modify_policy_remove_member.py b/iam/cloud-client/snippets/modify_policy_remove_member.py index ef62ece38c08..b35fdaacf51a 100644 --- a/iam/cloud-client/snippets/modify_policy_remove_member.py +++ b/iam/cloud-client/snippets/modify_policy_remove_member.py @@ -22,20 +22,13 @@ def modify_policy_remove_member( project_id: str, role: str, member: str ) -> policy_pb2.Policy: """ - Remove a member from certain role in project policy. + Remove a principal from certain role in project policy. project_id: ID or number of the Google Cloud project you want to use. - role: role to which member need to be added. - member: The principals requesting access. - - Possible format for member: - * user:{emailid} - * serviceAccount:{emailid} - * group:{emailid} - * deleted:user:{emailid}?uid={uniqueid} - * deleted:serviceAccount:{emailid}?uid={uniqueid} - * deleted:group:{emailid}?uid={uniqueid} - * domain:{domain} + role: role to revoke. + member: The principal to revoke access from. + + For principal ID formats, see https://cloud.google.com/iam/docs/principal-identifiers """ policy = get_project_policy(project_id) From 0489a1a94848e7978042e8a04ca5d46d2e807f54 Mon Sep 17 00:00:00 2001 From: melaniedejong <35782177+melaniedejong@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:49:37 -0800 Subject: [PATCH 3/9] Update quickstart.py comments --- iam/cloud-client/snippets/quickstart.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/iam/cloud-client/snippets/quickstart.py b/iam/cloud-client/snippets/quickstart.py index 4f9cfd697cbc..04ab9d2f4f5e 100644 --- a/iam/cloud-client/snippets/quickstart.py +++ b/iam/cloud-client/snippets/quickstart.py @@ -19,20 +19,20 @@ def quickstart(project_id: str, member: str) -> None: - """Gets a policy, adds a member, prints their permissions, and removes the member. + """Gets a policy, adds a principal, prints their permissions, and removes the principal. project_id: ID or number of the Google Cloud project you want to use. - member: The principals requesting the access. + member: The principal requesting the access. """ # Role to be granted. role = "roles/logging.logWriter" crm_service = resourcemanager_v3.ProjectsClient() - # Grants your member the 'Log Writer' role for the project. + # Grants your principal the 'Log Writer' role for the project. modify_policy_add_role(crm_service, project_id, role, member) - # Gets the project's policy and prints all members with the 'Log Writer' role. + # Gets the project's policy and prints all principals with the 'Log Writer' role. policy = get_policy(crm_service, project_id) binding = next(b for b in policy.bindings if b.role == role) print(f"Role: {(binding.role)}") @@ -40,7 +40,7 @@ def quickstart(project_id: str, member: str) -> None: for m in binding.members: print(f"[{m}]") - # Removes the member from the 'Log Writer' role. + # Removes the principal from the 'Log Writer' role. modify_policy_remove_member(crm_service, project_id, role, member) @@ -115,7 +115,8 @@ def modify_policy_remove_member( if __name__ == "__main__": # TODO: replace with your project ID project_id = "your-project-id" - # TODO: Replace with the ID of your member in the form 'user:member@example.com'. - member = "your-member" + # TODO: Replace with the ID of your principal. + # For examples, see https://cloud.google.com/iam/docs/principal-identifiers + member = "your-principal" quickstart(project_id, member) # [END iam_quickstart] From af9c528491112023bf5c9e9e94d2e9c5da2f1ef7 Mon Sep 17 00:00:00 2001 From: melaniedejong <35782177+melaniedejong@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:51:28 -0800 Subject: [PATCH 4/9] Update iam_modify_policy_add_role.py member -> principal --- iam/cloud-client/snippets/iam_modify_policy_add_role.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iam/cloud-client/snippets/iam_modify_policy_add_role.py b/iam/cloud-client/snippets/iam_modify_policy_add_role.py index 03f31f63a386..4d7bfc4a62c7 100644 --- a/iam/cloud-client/snippets/iam_modify_policy_add_role.py +++ b/iam/cloud-client/snippets/iam_modify_policy_add_role.py @@ -14,10 +14,10 @@ # [START iam_modify_policy_add_role] -def modify_policy_add_role(policy: dict, role: str, member: str) -> dict: +def modify_policy_add_role(policy: dict, role: str, principal: str) -> dict: """Adds a new role binding to a policy.""" - binding = {"role": role, "members": [member]} + binding = {"role": role, "members": [principal]} policy["bindings"].append(binding) print(policy) return policy From f9e3efcf667d1657329fccdc4fe2c2ef2bbed250 Mon Sep 17 00:00:00 2001 From: melaniedejong <35782177+melaniedejong@users.noreply.github.com> Date: Thu, 16 Jan 2025 15:39:28 -0800 Subject: [PATCH 5/9] Apply code review suggestions to replace "member" with "principal" in additional places (#13071) * Update modify_policy_remove_member.py Per code review suggestions, replace additional instances of "member" with "principal" * Update modify_policy_add_member.py (#13070) --- iam/cloud-client/snippets/modify_policy_add_member.py | 8 ++++---- .../snippets/modify_policy_remove_member.py | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/iam/cloud-client/snippets/modify_policy_add_member.py b/iam/cloud-client/snippets/modify_policy_add_member.py index f79ec5f9cd3d..8a7d78ea1eea 100644 --- a/iam/cloud-client/snippets/modify_policy_add_member.py +++ b/iam/cloud-client/snippets/modify_policy_add_member.py @@ -19,14 +19,14 @@ def modify_policy_add_member( - project_id: str, role: str, member: str + project_id: str, role: str, principal: str ) -> policy_pb2.Policy: """ Add a principal to certain role in project policy. project_id: ID or number of the Google Cloud project you want to use. role: role to which principal need to be added. - member: The principal requesting access. + principal: The principal requesting access. For principal ID formats, see https://cloud.google.com/iam/docs/principal-identifiers """ @@ -34,7 +34,7 @@ def modify_policy_add_member( for bind in policy.bindings: if bind.role == role: - bind.members.append(member) + bind.members.append(principal) break return set_project_policy(project_id, policy) @@ -52,4 +52,4 @@ def modify_policy_add_member( role = "roles/viewer" member = f"serviceAccount:test-service-account@{project_id}.iam.gserviceaccount.com" - modify_policy_add_member(project_id, role, member) + modify_policy_add_member(project_id, role, principal) diff --git a/iam/cloud-client/snippets/modify_policy_remove_member.py b/iam/cloud-client/snippets/modify_policy_remove_member.py index b35fdaacf51a..d84696540ed5 100644 --- a/iam/cloud-client/snippets/modify_policy_remove_member.py +++ b/iam/cloud-client/snippets/modify_policy_remove_member.py @@ -19,14 +19,14 @@ def modify_policy_remove_member( - project_id: str, role: str, member: str + project_id: str, role: str, principal: str ) -> policy_pb2.Policy: """ Remove a principal from certain role in project policy. project_id: ID or number of the Google Cloud project you want to use. role: role to revoke. - member: The principal to revoke access from. + principal: The principal to revoke access from. For principal ID formats, see https://cloud.google.com/iam/docs/principal-identifiers """ @@ -35,7 +35,7 @@ def modify_policy_remove_member( for bind in policy.bindings: if bind.role == role: if member in bind.members: - bind.members.remove(member) + bind.members.remove(principal) break return set_project_policy(project_id, policy, False) @@ -51,6 +51,6 @@ def modify_policy_remove_member( # Your Google Cloud project ID. project_id = "test-project-id" role = "roles/viewer" - member = f"serviceAccount:test-service-account@{project_id}.iam.gserviceaccount.com" + principal = f"serviceAccount:test-service-account@{project_id}.iam.gserviceaccount.com" - modify_policy_remove_member(project_id, role, member) + modify_policy_remove_member(project_id, role, principal) From 98de6b8328d3a35299694401abdac5a7faebb403 Mon Sep 17 00:00:00 2001 From: melaniedejong <35782177+melaniedejong@users.noreply.github.com> Date: Thu, 16 Jan 2025 15:41:13 -0800 Subject: [PATCH 6/9] Update iam/cloud-client/snippets/quickstart.py doc string Co-authored-by: code-review-assist[bot] <182814678+code-review-assist[bot]@users.noreply.github.com> --- iam/cloud-client/snippets/quickstart.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/iam/cloud-client/snippets/quickstart.py b/iam/cloud-client/snippets/quickstart.py index 04ab9d2f4f5e..e50c251c9c38 100644 --- a/iam/cloud-client/snippets/quickstart.py +++ b/iam/cloud-client/snippets/quickstart.py @@ -19,6 +19,14 @@ def quickstart(project_id: str, member: str) -> None: + """Demonstrates basic IAM operations. + +This quickstart shows how to get a project's IAM policy, add a principal to a role, list members of a role, and remove a principal from a role. + +Args: + project_id: The ID or number of the Google Cloud project. + member: The principal ID. +""" """Gets a policy, adds a principal, prints their permissions, and removes the principal. project_id: ID or number of the Google Cloud project you want to use. From e50601629efd94a1db02b1509f0c3ea66041f93b Mon Sep 17 00:00:00 2001 From: melaniedejong <35782177+melaniedejong@users.noreply.github.com> Date: Thu, 16 Jan 2025 15:44:17 -0800 Subject: [PATCH 7/9] Update quickstart.py: replace "member" with "principal" in additional places --- iam/cloud-client/snippets/quickstart.py | 28 ++++++++++++------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/iam/cloud-client/snippets/quickstart.py b/iam/cloud-client/snippets/quickstart.py index e50c251c9c38..f7f0d2b8941f 100644 --- a/iam/cloud-client/snippets/quickstart.py +++ b/iam/cloud-client/snippets/quickstart.py @@ -18,19 +18,19 @@ from google.iam.v1 import iam_policy_pb2, policy_pb2 -def quickstart(project_id: str, member: str) -> None: +def quickstart(project_id: str, principal: str) -> None: """Demonstrates basic IAM operations. This quickstart shows how to get a project's IAM policy, add a principal to a role, list members of a role, and remove a principal from a role. Args: project_id: The ID or number of the Google Cloud project. - member: The principal ID. + principal: The principal ID. """ """Gets a policy, adds a principal, prints their permissions, and removes the principal. project_id: ID or number of the Google Cloud project you want to use. - member: The principal requesting the access. + principal: The principal requesting the access. """ # Role to be granted. @@ -38,7 +38,7 @@ def quickstart(project_id: str, member: str) -> None: crm_service = resourcemanager_v3.ProjectsClient() # Grants your principal the 'Log Writer' role for the project. - modify_policy_add_role(crm_service, project_id, role, member) + modify_policy_add_role(crm_service, project_id, role, principal) # Gets the project's policy and prints all principals with the 'Log Writer' role. policy = get_policy(crm_service, project_id) @@ -49,7 +49,7 @@ def quickstart(project_id: str, member: str) -> None: print(f"[{m}]") # Removes the principal from the 'Log Writer' role. - modify_policy_remove_member(crm_service, project_id, role, member) + modify_policy_remove_member(crm_service, project_id, role, principal) def get_policy( @@ -82,7 +82,7 @@ def modify_policy_add_role( crm_service: resourcemanager_v3.ProjectsClient, project_id: str, role: str, - member: str, + principal: str, ) -> None: """Adds a new role binding to a policy.""" @@ -90,12 +90,12 @@ def modify_policy_add_role( for bind in policy.bindings: if bind.role == role: - bind.members.append(member) + bind.members.append(principal) break else: binding = policy_pb2.Binding() binding.role = role - binding.members.append(member) + binding.members.append(principal) policy.bindings.append(binding) set_policy(crm_service, project_id, policy) @@ -105,16 +105,16 @@ def modify_policy_remove_member( crm_service: resourcemanager_v3.ProjectsClient, project_id: str, role: str, - member: str, + principal: str, ) -> None: - """Removes a member from a role binding.""" + """Removes a principal from a role binding.""" policy = get_policy(crm_service, project_id) for bind in policy.bindings: if bind.role == role: - if member in bind.members: - bind.members.remove(member) + if principal in bind.members: + bind.members.remove(principal) break set_policy(crm_service, project_id, policy) @@ -125,6 +125,6 @@ def modify_policy_remove_member( project_id = "your-project-id" # TODO: Replace with the ID of your principal. # For examples, see https://cloud.google.com/iam/docs/principal-identifiers - member = "your-principal" - quickstart(project_id, member) + principal = "your-principal" + quickstart(project_id, principal) # [END iam_quickstart] From 0e9619f6e8c2badacbc508ba6d60823bbee82402 Mon Sep 17 00:00:00 2001 From: melaniedejong <35782177+melaniedejong@users.noreply.github.com> Date: Thu, 16 Jan 2025 15:47:32 -0800 Subject: [PATCH 8/9] Replace "member" with "principal" to fix failing test --- iam/cloud-client/snippets/modify_policy_remove_member.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iam/cloud-client/snippets/modify_policy_remove_member.py b/iam/cloud-client/snippets/modify_policy_remove_member.py index d84696540ed5..5c88a01071d4 100644 --- a/iam/cloud-client/snippets/modify_policy_remove_member.py +++ b/iam/cloud-client/snippets/modify_policy_remove_member.py @@ -34,7 +34,7 @@ def modify_policy_remove_member( for bind in policy.bindings: if bind.role == role: - if member in bind.members: + if principal in bind.members: bind.members.remove(principal) break From afc63034d635e535fb654a99b9a8b06e100cc46d Mon Sep 17 00:00:00 2001 From: melaniedejong <35782177+melaniedejong@users.noreply.github.com> Date: Thu, 16 Jan 2025 15:48:48 -0800 Subject: [PATCH 9/9] Replace "member" with "principal" to fix failing test --- iam/cloud-client/snippets/modify_policy_add_member.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iam/cloud-client/snippets/modify_policy_add_member.py b/iam/cloud-client/snippets/modify_policy_add_member.py index 8a7d78ea1eea..83b114f93b38 100644 --- a/iam/cloud-client/snippets/modify_policy_add_member.py +++ b/iam/cloud-client/snippets/modify_policy_add_member.py @@ -50,6 +50,6 @@ def modify_policy_add_member( # Your Google Cloud project ID. project_id = "test-project-id" role = "roles/viewer" - member = f"serviceAccount:test-service-account@{project_id}.iam.gserviceaccount.com" + principal = f"serviceAccount:test-service-account@{project_id}.iam.gserviceaccount.com" modify_policy_add_member(project_id, role, principal)