-2

我想为用户授予以下 IAM 权限。

允许:

BigQuery 作业用户
浏览器

我知道如何通过 Windows UI 进行设置,但我想通过 python 脚本设置此 IAM 权限?

4

1 回答 1

1

是的,可以通过使用Client Libraries来做到这一点。

您可以查看以下文档中的一些示例。

我制作了一个快速脚本,可以满足您的要求:

from google.oauth2 import service_account
import googleapiclient.discovery


credentials = service_account.Credentials.from_service_account_file(
    filename='PATH/TO/KEY.json',
    scopes=['https://www.googleapis.com/auth/cloud-platform'])
service = googleapiclient.discovery.build(
    'cloudresourcemanager', 'v1', credentials=credentials)



def modify_policy_add_member(policy, role, member):
    binding = next(b for b in policy['bindings'] if b['role'] == role)
    binding['members'].append(member)
    print(binding)
    return policy

def create_role_add_member(policy, role, member):
    """Adds a new member to a role binding."""
    binding = {
                'role': role,
                'members': [member]
            }
    print(binding)
    policy['bindings'].append(binding)
    return policy

if __name__ == "__main__":
    project_id="YOUR_PROJECT_ID"
    policy=service.projects().getIamPolicy(
                resource=project_id,
                body={},
            ).execute()
    role="roles/bigquery.dataViewer" #example role to grant user
    member="user:MEMBER_TO_ADD"
    roles = [b['role'] for b in policy['bindings']]
    if role  in roles:
        new_policy = modify_policy_add_member(policy, role, member)
    else:
        new_policy = create_role_add_member(policy, role, member)
    print(new_policy)
    policy = service.projects().setIamPolicy(
            resource=project_id,
            body={
                'policy': new_policy,
    }).execute()

将其按部分分解,脚本执行以下操作:

1- 使用具有https://www.googleapis.com/auth/cloud-platform范围的服务帐户密钥文件对 API 进行身份验证。在此示例中,我使用了具有project/owner权限的服务帐户密钥文件。

from google.oauth2 import service_account
import googleapiclient.discovery

credentials = service_account.Credentials.from_service_account_file(
    filename='PATH/TO/KEY.json',
    scopes=['https://www.googleapis.com/auth/cloud-platform'])
service = googleapiclient.discovery.build(
    'cloudresourcemanager', 'v1', credentials=credentials)

2-获取项目的当前政策:

 policy=service.projects().getIamPolicy(
                resource=project_id,
                body={},
            ).execute()

3- 设置要授予的角色,在 BigQuery 中您可以在此列表中看到。同样,设置要添加的成员,格式user:<USER_ADDRESS>中,需要保留user:要添加的帐户前的字符串,除非您要添加服务帐户,否则必须更改user:serviceaccount:

4-检查角色是否已经存在,如果存在,只需将成员附加到现有角色:

def modify_policy_add_member(policy, role, member):
    binding = next(b for b in policy['bindings'] if b['role'] == role)
    binding['members'].append(member)
    print(binding)
    return policy

否则,创建角色并将其附加到策略绑定:

def create_role_add_member(policy, role, member):
    """Adds a new member to a role binding."""
    binding = {
                'role': role,
                'members': [member]
            }
    print(binding)
    policy['bindings'].append(binding)
    return policy

5- 通过发送更新后的政策来更新项目中的政策:

policy = service.projects().setIamPolicy(
            resource=project_id,
            body={
                'policy': new_policy,
    }).execute()

请注意,要在 Python 中使用此 API,您需要安装以下模块:

google-api-python-client==1.7.4
google-auth==1.5.1
google-auth-httplib2==0.0.3
于 2019-01-22T10:31:23.923 回答