google.cloud.forseti.common.gcp_api.iam module

Wrapper for IAM API client.

class IAMClient(global_configs, **kwargs)[source]

Bases: object

IAM Client.

KEY_TYPES = frozenset({'SYSTEM_MANAGED', 'USER_MANAGED'})
SYSTEM_MANAGED = 'SYSTEM_MANAGED'
USER_MANAGED = 'USER_MANAGED'
get_curated_roles(parent=None)[source]

Get information about organization roles

Parameters:parent (str) – An optional parent ID to query. If unset, defaults to returning the list of curated roles in GCP.
Returns:The response of retrieving the curated roles.
Return type:list
Raises:ApiExecutionError – ApiExecutionError is raised if the call to the GCP API fails.
get_organization_roles(org_id)[source]

Get information about custom organization roles.

Parameters:org_id (str) – The id of the organization.
Returns:The response of retrieving the organization roles.
Return type:list
Raises:ApiExecutionError – ApiExecutionError is raised if the call to the GCP API fails.
get_project_roles(project_id)[source]

Get information about custom project roles.

Parameters:project_id (str) – The id of the project.
Returns:The response of retrieving the project roles.
Return type:list
Raises:ApiExecutionError – ApiExecutionError is raised if the call to the GCP API fails.
get_service_account_iam_policy(name)[source]

Get IAM policy associated with a service account.

Parameters:name (str) – The service account name to query, must be in the format projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}
Returns:The IAM policies for the service account.
Return type:dict
Raises:ApiExecutionError – ApiExecutionError is raised if the call to the GCP API fails.
get_service_account_keys(name, key_type=None)[source]

Get keys associated with the given Service Account.

Parameters:
  • name (str) – The service account name to query, must be in the format projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}
  • key_type (str) – Optional, the key type to include in the results. Can be None, USER_MANAGED or SYSTEM_MANAGED. Defaults to returning all key types.
Returns:

List with a dict for each key associated with the account.

Return type:

list

Raises:
  • ValueError – Raised if an invalid key_type is specified.
  • ApiExecutionError – ApiExecutionError is raised if the call to the GCP API fails.
get_service_accounts(project_id)[source]

Get Service Accounts associated with a project.

Parameters:project_id (str) – The project ID to get Service Accounts for.
Returns:List of service accounts associated with the project.
Return type:list
Raises:ApiExecutionError – ApiExecutionError is raised if the call to the GCP API fails.
class IamRepositoryClient(quota_max_calls=None, quota_period=1.0, use_rate_limiter=True)[source]

Bases: google.cloud.forseti.common.gcp_api._base_repository.BaseRepositoryClient

IAM API Respository.

organizations_roles

An _IamOrganizationsRolesRepository instance.

projects_roles

An _IamProjectsRolesRepository instance.

projects_serviceaccounts

An _IamProjectsServiceAccountsRepository instance.

projects_serviceaccounts_keys

An _IamProjectsServiceAccountsKeysRepository instance.

roles

An _IamRolesRepository instance.

class _IamOrganizationsRolesRepository(**kwargs)[source]

Bases: google.cloud.forseti.common.gcp_api.repository_mixins.ListQueryMixin, google.cloud.forseti.common.gcp_api._base_repository.GCPRepository

Implementation of Iam Organizations Roles repository.

static get_name(org_id)[source]

Returns a formatted name field to pass in to the API.

Parameters:org_id (str) – The id of the organization to query.
Returns:A formatted project name.
Return type:str
class _IamProjectsRolesRepository(**kwargs)[source]

Bases: google.cloud.forseti.common.gcp_api.repository_mixins.ListQueryMixin, google.cloud.forseti.common.gcp_api._base_repository.GCPRepository

Implementation of Iam Projects Roles repository.

static get_name(project_id)[source]

Returns a formatted name field to pass in to the API.

Parameters:project_id (str) – The id of the project to query.
Returns:A formatted project name.
Return type:str
class _IamProjectsServiceAccountsKeysRepository(**kwargs)[source]

Bases: google.cloud.forseti.common.gcp_api.repository_mixins.ListQueryMixin, google.cloud.forseti.common.gcp_api._base_repository.GCPRepository

Implementation of Iam Projects ServiceAccounts Keys repository.

class _IamProjectsServiceAccountsRepository(**kwargs)[source]

Bases: google.cloud.forseti.common.gcp_api.repository_mixins.GetIamPolicyQueryMixin, google.cloud.forseti.common.gcp_api.repository_mixins.ListQueryMixin, google.cloud.forseti.common.gcp_api._base_repository.GCPRepository

Implementation of Iam Projects ServiceAccounts repository.

get_iam_policy(resource, fields=None, verb='getIamPolicy', include_body=False, resource_field='resource', **kwargs)[source]

Get Service Account IAM Policy.

Parameters:
  • self (GCPRespository) – An instance of a GCPRespository class.
  • resource (str) – The id of the resource to fetch.
  • fields (str) – Fields to include in the response - partial response.
  • verb (str) – The method to call on the API.
  • include_body (bool) – If true, include an empty body parameter in the method args.
  • resource_field (str) – The parameter name of the resource field to pass to the method.
  • **kwargs (dict) – Optional additional arguments to pass to the query.
Returns:

GCE response.

Return type:

dict

static get_name(project_id)[source]

Returns a formatted name field to pass in to the API.

Parameters:project_id (str) – The id of the project to query.
Returns:A formatted project name.
Return type:str
class _IamRolesRepository(**kwargs)[source]

Bases: google.cloud.forseti.common.gcp_api.repository_mixins.ListQueryMixin, google.cloud.forseti.common.gcp_api._base_repository.GCPRepository

Implementation of Iam Roles repository.