davidkotnik/novafarma
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add new gcloud commands, API clients, and third-party libraries across various services.

Browse Source
This commit is contained in:
David Kotnik
2026-01-01 20:26:35 +01:00
parent 5e23cbece0
commit a19e592eb7
25221 changed files with 8324611 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/__init__.py Normal file
View File

@@ -0,0 +1,14 @@
# -*- coding: utf-8 -*- #
# Copyright 2016 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

0
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/byoid_utilities/__init__.py Normal file
View File

477
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/byoid_utilities/cred_config.py Normal file
View File

@@ -0,0 +1,477 @@
# -*- coding: utf-8 -*- #
# Copyright 2021 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Generators for Credential Config Files."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import abc
import enum
import json
from googlecloudsdk.command_lib.auth import enterprise_certificate_config
from googlecloudsdk.core import log
from googlecloudsdk.core import properties
from googlecloudsdk.core.util import files
import six
class ConfigType(enum.Enum):
WORKLOAD_IDENTITY_POOLS = 1
WORKFORCE_POOLS = 2
class ByoidEndpoints(object):
"""Base class for BYOID endpoints."""
def __init__(
self,
service,
enable_mtls=False,
universe_domain='googleapis.com',
sts_location='',
):
# TODO: b/444042857 - Remove this check and add support for mTLS with
# locational STS endpoints when it is GA-ed.
if enable_mtls and sts_location and sts_location != 'global':
raise GeneratorError(
'mTLS is not supported with locational Security Token Service'
' endpoints.'
)
self._sts_global_template = 'https://{service}.{mtls}{universe}'
self._sts_locational_template = (
'https://{service}.{sts_location}.rep.{universe}'
)
self._service = service
self._mtls = 'mtls.' if enable_mtls else ''
self._universe_domain = universe_domain
self._sts_location = sts_location
@property
def _base_url(self):
if not self._sts_location or self._sts_location == 'global':
return self._sts_global_template.format(
service=self._service, mtls=self._mtls, universe=self._universe_domain
)
return self._sts_locational_template.format(
service=self._service,
sts_location=self._sts_location,
universe=self._universe_domain,
)
class StsEndpoints(ByoidEndpoints):
"""Simple class to build STS endpoints."""
def __init__(self, **kwargs):
super(StsEndpoints, self).__init__('sts', **kwargs)
@property
def token_url(self):
api = 'v1/token'
return '{}/{}'.format(self._base_url, api)
@property
def oauth_token_url(self):
api = 'v1/oauthtoken'
return '{}/{}'.format(self._base_url, api)
@property
def token_info_url(self):
api = 'v1/introspect'
return '{}/{}'.format(self._base_url, api)
class IamEndpoints(ByoidEndpoints):
"""Simple class to build IAM Credential endpoints."""
def __init__(self, service_account, **kwargs):
self._service_account = service_account
super(IamEndpoints, self).__init__('iamcredentials', **kwargs)
@property
def impersonation_url(self):
api = 'v1/projects/-/serviceAccounts/{}:generateAccessToken'.format(
self._service_account
)
return '{}/{}'.format(self._base_url, api)
RESOURCE_TYPE = 'credential configuration file'
def create_credential_config(args, config_type):
"""Creates the byoid credential config based on CLI arguments."""
# If a certificate path was provided, enable mtls by default.
is_cert = getattr(args, 'credential_cert_path', None) is not None
enable_mtls = getattr(args, 'enable_mtls', False)
sts_location = getattr(args, 'sts_location', '')
# If a certificate path was provided, mtls must be enabled.
if is_cert:
if not enable_mtls and hasattr(args, 'enable_mtls'):
raise GeneratorError(
'Cannot disable mTLS when a certificate path is provided.'
)
enable_mtls = True
# Take universe_domain into account.
universe_domain_property = properties.VALUES.core.universe_domain
if getattr(args, 'universe_domain', None):
# Universe_domain arg takes precedence.
universe_domain = args.universe_domain
elif universe_domain_property.IsExplicitlySet():
universe_domain = universe_domain_property.Get()
else:
universe_domain = properties.VALUES.core.universe_domain.default
token_endpoint_builder = StsEndpoints(
enable_mtls=enable_mtls,
universe_domain=universe_domain,
sts_location=sts_location,
)
try:
generator = get_generator(args, config_type)
output = {
'universe_domain': universe_domain,
'type': 'external_account',
'audience': '//iam.googleapis.com/' + args.audience,
'subject_token_type': generator.get_token_type(args.subject_token_type),
'token_url': token_endpoint_builder.token_url,
'credential_source': generator.get_source(args),
}
if config_type is ConfigType.WORKFORCE_POOLS:
output['workforce_pool_user_project'] = args.workforce_pool_user_project
if args.service_account:
sa_endpoint_builder = IamEndpoints(
args.service_account,
enable_mtls=enable_mtls,
universe_domain=universe_domain,
)
output['service_account_impersonation_url'] = (
sa_endpoint_builder.impersonation_url
)
service_account_impersonation = {}
if args.service_account_token_lifetime_seconds:
service_account_impersonation['token_lifetime_seconds'] = (
args.service_account_token_lifetime_seconds
)
output['service_account_impersonation'] = service_account_impersonation
else:
output['token_info_url'] = token_endpoint_builder.token_info_url
files.WriteFileContents(args.output_file, json.dumps(output, indent=2))
log.CreatedResource(args.output_file, RESOURCE_TYPE)
# If the credential type is X.509, we need to create an additional
# certificate config file to store the certificate information.
if isinstance(generator, X509CredConfigGenerator):
enterprise_certificate_config.create_config(
enterprise_certificate_config.ConfigType.WORKLOAD,
cert_path=args.credential_cert_path,
key_path=args.credential_cert_private_key_path,
output_file=args.credential_cert_configuration_output_file,
trust_chain_path=args.credential_cert_trust_chain_path,
)
except GeneratorError as cce:
log.CreatedResource(args.output_file, RESOURCE_TYPE, failed=cce.message)
def get_generator(args, config_type):
"""Determines the type of credential output based on CLI arguments."""
if args.credential_source_file:
return FileCredConfigGenerator(config_type, args.credential_source_file)
if args.credential_source_url:
return UrlCredConfigGenerator(config_type, args.credential_source_url,
args.credential_source_headers)
if args.executable_command:
if hasattr(args, 'executable_interactive_timeout_millis'
) and args.executable_interactive_timeout_millis:
return InteractiveExecutableCredConfigGenerator(
config_type, args.executable_command, args.executable_timeout_millis,
args.executable_output_file,
args.executable_interactive_timeout_millis)
return ExecutableCredConfigGenerator(config_type, args.executable_command,
args.executable_timeout_millis,
args.executable_output_file)
if args.aws:
return AwsCredConfigGenerator()
if args.azure:
return AzureCredConfigGenerator(args.app_id_uri, args.audience)
if args.credential_cert_path:
return X509CredConfigGenerator(
args.credential_cert_path,
args.credential_cert_private_key_path,
args.credential_cert_configuration_output_file,
args.credential_cert_trust_chain_path,
)
class CredConfigGenerator(six.with_metaclass(abc.ABCMeta, object)):
"""Base class for generating Credential Config files."""
def __init__(self, config_type):
self.config_type = config_type
def get_token_type(self, subject_token_type):
"""Returns the type of token that this credential config uses."""
default_token_type = 'urn:ietf:params:oauth:token-type:jwt'
if self.config_type is ConfigType.WORKFORCE_POOLS:
default_token_type = 'urn:ietf:params:oauth:token-type:id_token'
return subject_token_type or default_token_type
def _get_format(self, credential_source_type, credential_source_field_name):
"""Returns an optional dictionary indicating the format of the token.
This is a shared method, that several different token types need access to.
Args:
credential_source_type: The format of the token, either 'json' or 'text'.
credential_source_field_name: The field name of a JSON object containing
the text version of the token.
Raises:
GeneratorError: if an invalid token format is specified, or no field name
is specified for a json token.
"""
if not credential_source_type:
return None
credential_source_type = credential_source_type.lower()
if credential_source_type not in ('json', 'text'):
raise GeneratorError(
'--credential-source-type must be either "json" or "text"')
token_format = {'type': credential_source_type}
if credential_source_type == 'json':
if not credential_source_field_name:
raise GeneratorError(
'--credential-source-field-name required for JSON formatted tokens')
token_format['subject_token_field_name'] = credential_source_field_name
return token_format
def _format_already_defined(self, credential_source_type):
if credential_source_type:
raise GeneratorError(
'--credential-source-type is not supported with --azure or --aws')
@abc.abstractmethod
def get_source(self, args):
"""Gets the credential source info used for this credential config."""
pass
class FileCredConfigGenerator(CredConfigGenerator):
"""The generator for File-based credential configs."""
def __init__(self, config_type, credential_source_file):
super(FileCredConfigGenerator, self).__init__(config_type)
self.credential_source_file = credential_source_file
def get_source(self, args):
credential_source = {'file': self.credential_source_file}
token_format = self._get_format(args.credential_source_type,
args.credential_source_field_name)
if token_format:
credential_source['format'] = token_format
return credential_source
class UrlCredConfigGenerator(CredConfigGenerator):
"""The generator for Url-based credential configs."""
def __init__(self, config_type, credential_source_url,
credential_source_headers):
super(UrlCredConfigGenerator, self).__init__(config_type)
self.credential_source_url = credential_source_url
self.credential_source_headers = credential_source_headers
def get_source(self, args):
credential_source = {'url': self.credential_source_url}
if self.credential_source_headers:
credential_source['headers'] = self.credential_source_headers
token_format = self._get_format(args.credential_source_type,
args.credential_source_field_name)
if token_format:
credential_source['format'] = token_format
return credential_source
class ExecutableCredConfigGenerator(CredConfigGenerator):
"""The generator for executable-command-based credentials configs."""
def __init__(self, config_type, command, timeout_millis, output_file):
if timeout_millis:
timeout_millis = int(timeout_millis)
super(ExecutableCredConfigGenerator, self).__init__(config_type)
self.command = command
self.timeout_millis = timeout_millis or 30000 # default to 30s
self.output_file = output_file
def get_source(self, args):
executable_config = {
'command': self.command,
'timeout_millis': self.timeout_millis
}
if self.output_file:
executable_config['output_file'] = self.output_file
return {'executable': executable_config}
class InteractiveExecutableCredConfigGenerator(ExecutableCredConfigGenerator):
"""The generator for executable-command-based credentials configs with interactive mode."""
def __init__(self, config_type, command, timeout_millis, output_file,
interactive_timeout_millis):
super(InteractiveExecutableCredConfigGenerator,
self).__init__(config_type, command, timeout_millis, output_file)
self.interactive_timeout_millis = int(interactive_timeout_millis)
def get_source(self, args):
if not self.output_file:
raise GeneratorError('--executable-output-file must be specified if ' +
'--interactive-timeout-millis is provided.')
executable_config = {
'command': self.command,
'timeout_millis': self.timeout_millis,
'output_file': self.output_file,
'interactive_timeout_millis': self.interactive_timeout_millis
}
return {'executable': executable_config}
class AwsCredConfigGenerator(CredConfigGenerator):
"""The generator for AWS-based credential configs."""
def __init__(self):
super(AwsCredConfigGenerator,
self).__init__(ConfigType.WORKLOAD_IDENTITY_POOLS)
def get_token_type(self, subject_token_type):
return 'urn:ietf:params:aws:token-type:aws4_request'
def get_source(self, args):
self._format_already_defined(args.credential_source_type)
credential_source = {
'environment_id':
'aws1',
'region_url':
'http://169.254.169.254/latest/meta-data/placement/availability-zone',
'url':
'http://169.254.169.254/latest/meta-data/iam/security-credentials',
'regional_cred_verification_url':
'https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15'
}
if args.enable_imdsv2:
credential_source['imdsv2_session_token_url'] = (
'http://169.254.169.254/latest/api/token'
)
return credential_source
class AzureCredConfigGenerator(CredConfigGenerator):
"""The generator for Azure-based credential configs."""
def __init__(self, app_id_uri, audience):
super(AzureCredConfigGenerator,
self).__init__(ConfigType.WORKLOAD_IDENTITY_POOLS)
self.app_id_uri = app_id_uri
self.audience = audience
def get_token_type(self, subject_token_type):
return 'urn:ietf:params:oauth:token-type:jwt'
def get_source(self, args):
self._format_already_defined(args.credential_source_type)
return {
'url':
'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource='
+
(self.app_id_uri or 'https://iam.googleapis.com/' + self.audience),
'headers': {
'Metadata': 'True'
},
'format': {
'type': 'json',
'subject_token_field_name': 'access_token'
}
}
class X509CredConfigGenerator(CredConfigGenerator):
"""The generator for X.509-based credential configs."""
def __init__(self,
certificate_path,
key_path,
cert_config_path,
trust_chain_path):
super(X509CredConfigGenerator,
self).__init__(ConfigType.WORKLOAD_IDENTITY_POOLS)
self.certificate_path = certificate_path
self.key_path = key_path
self.cert_config_path = cert_config_path
self.trust_chain_path = trust_chain_path
def get_token_type(self, subject_token_type):
return 'urn:ietf:params:oauth:token-type:mtls'
def get_source(self, args):
certificate_config = {}
if self.key_path is None:
raise GeneratorError(
'--credential-cert-private-key-path must be specified if'
' --credential-cert-path '
+ 'is provided.'
)
if self.cert_config_path is not None:
certificate_config['certificate_config_location'] = self.cert_config_path
else:
certificate_config['use_default_certificate_config'] = True
if self.trust_chain_path is not None:
certificate_config['trust_chain_path'] = self.trust_chain_path
return {'certificate': certificate_config}
class GeneratorError(Exception):
def __init__(self, message):
super(GeneratorError, self).__init__()
self.message = message

67
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/completers.py Normal file
View File

@@ -0,0 +1,67 @@
# -*- coding: utf-8 -*- #
# Copyright 2013 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""IAM completers."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.command_lib.util import completers
from googlecloudsdk.core import resources
class IamRolesCompleter(completers.ListCommandCompleter):
"""An IAM role completer for a resource argument.
The Complete() method override bypasses the completion cache.
Attributes:
_resource_dest: The argparse Namespace dest string for the resource
argument that has the roles.
_resource_collection: The resource argument collection.
"""
def __init__(self, resource_dest=None, resource_collection=None, **kwargs):
super(IamRolesCompleter, self).__init__(**kwargs)
self._resource_dest = resource_dest
self._resource_collection = resource_collection
def GetListCommand(self, parameter_info):
resource_ref = resources.REGISTRY.Parse(
parameter_info.GetValue(self._resource_dest),
collection=self._resource_collection,
default_resolver=parameter_info.GetValue)
resource_uri = resource_ref.SelfLink()
return ['beta', 'iam', 'list-grantable-roles', '--quiet',
'--flatten=name', '--format=disable', resource_uri]
def Complete(self, prefix, parameter_info):
"""Bypasses the cache and returns completions matching prefix."""
command = self.GetListCommand(parameter_info)
items = self.GetAllItems(command, parameter_info)
return [
item for item in items or []
if item is not None and item.startswith(prefix)
]
class IamServiceAccountCompleter(completers.ListCommandCompleter):
def __init__(self, **kwargs):
super(IamServiceAccountCompleter, self).__init__(
list_command=('iam service-accounts list --quiet '
'--flatten=email --format=disable'),
**kwargs)

154
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/flags.py Normal file
View File

@@ -0,0 +1,154 @@
# -*- coding: utf-8 -*- #
# Copyright 2016 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Common flags for iam commands."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.iam.byoid_utilities import cred_config
from googlecloudsdk.command_lib.util.args import common_args
def GetRoleFlag(verb):
return base.Argument(
'role',
metavar='ROLE_ID',
help='ID of the role to {0}. '
'Curated roles example: roles/viewer. '
'Custom roles example: CustomRole. '
'For custom roles, you must also specify the `--organization` '
'or `--project` flag.'.format(verb))
def GetCustomRoleFlag(verb):
return base.Argument(
'role',
metavar='ROLE_ID',
help='ID of the custom role to {0}. '
'You must also specify the `--organization` or `--project` '
'flag.'.format(verb))
def GetOrgFlag(verb):
return base.Argument(
'--organization',
help='Organization of the role you want to {0}.'.format(verb))
def GetProjectFlag(verb):
help_text = 'Project of the role you want to {0}.'.format(verb)
return common_args.ProjectArgument(help_text_to_prepend=help_text)
def AddParentFlags(parser, verb, required=True):
parent_group = parser.add_mutually_exclusive_group(required=required)
GetOrgFlag(verb).AddToParser(parent_group)
GetProjectFlag(verb).AddToParser(parent_group)
_RESOURCE_NAME_HELP = """\
The full resource name or URI to {verb}.
See ["Resource Names"](https://cloud.google.com/apis/design/resource_names) for
details. To get a URI from most `list` commands in `gcloud`, pass the `--uri`
flag. For example:
```
$ gcloud compute instances list --project prj --uri \\
https://compute.googleapis.com/compute/v1/projects/prj/zones/us-east1-c/instances/i1 \\
https://compute.googleapis.com/compute/v1/projects/prj/zones/us-east1-d/instances/i2
```
"""
def GetResourceNameFlag(verb):
return base.Argument('resource', help=_RESOURCE_NAME_HELP.format(verb=verb))
def AddCommonByoidCreateConfigFlags(parser, config_type):
"""Adds parser arguments that are common to both workload identity federation and workforce pools."""
parser.add_argument(
'--output-file',
help='Location to store the generated credential configuration file.',
required=True)
parser.add_argument(
'--universe-domain', help='Universe domain.', hidden=True
)
service_account_impersonation_options = parser.add_group(
help='Service account impersonation options.')
service_account_impersonation_options.add_argument(
'--service-account',
help='Email of the service account to impersonate.',
required=True)
service_account_impersonation_options .add_argument(
'--service-account-token-lifetime-seconds',
type=arg_parsers.Duration(
default_unit='s',
lower_bound='600',
upper_bound='43200',
parsed_unit='s'),
help=('Lifetime duration of the service account access token in seconds. '
'Defaults to one hour if not specified. If a lifetime greater than '
'one hour is required, the service account must be added as an '
'allowed value in an Organization Policy that enforces the '
'`constraints/iam.allowServiceAccountCredentialLifetimeExtension` '
'constraint.')
)
parser.add_argument(
'--credential-source-headers',
type=arg_parsers.ArgDict(),
metavar='key=value',
help='Headers to use when querying the credential-source-url.')
parser.add_argument(
'--credential-source-type',
help='Format of the credential source (JSON or text).')
parser.add_argument(
'--credential-source-field-name',
help='Subject token field name (key) in a JSON credential source.')
executable_args = parser.add_group(
help='Arguments for an executable type credential source.')
executable_args.add_argument(
'--executable-timeout-millis',
type=arg_parsers.Duration(
default_unit='ms',
lower_bound='5s',
upper_bound='120s',
parsed_unit='ms'),
help=('Timeout duration, in milliseconds, to '
'wait for the executable to finish.')
)
executable_args.add_argument(
'--executable-output-file',
help='Absolute path to the file storing the executable response.')
if config_type == cred_config.ConfigType.WORKFORCE_POOLS:
executable_args.add_argument(
'--executable-interactive-timeout-millis',
type=arg_parsers.Duration(
default_unit='ms',
lower_bound='30s',
upper_bound='1800s',
parsed_unit='ms'),
help='Timeout duration, in milliseconds, to wait for the ' +
'executable to finish when the command is running in interactive mode.')

923
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/flags.yaml Normal file
View File

@@ -0,0 +1,923 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
oauth_client:
client_type:
api_field: oauthClient.clientType
arg_name: client-type
help_text: |-
The type of OAuth client.
choices:
- arg_value: confidential-client
enum_value: CONFIDENTIAL_CLIENT
- arg_value: public-client
enum_value: PUBLIC_CLIENT
description:
api_field: oauthClient.description
arg_name: description
help_text: |-
A description of the OAuth client. Cannot exceed 256 characters.
display_name:
api_field: oauthClient.displayName
arg_name: display-name
help_text: |-
A display name for the OAuth client. Cannot exceed 32 characters.
disabled:
api_field: oauthClient.disabled
arg_name: disabled
help_text: |-
Disables the OAuth client. You cannot use a disabled OAuth client for login. Include `--no-disabled` to enable a disabled OAuth client.
allowed_grant_types:
api_field: oauthClient.allowedGrantTypes
type: 'googlecloudsdk.calliope.arg_parsers:ArgList:'
arg_name: allowed-grant-types
help_text: |-
A list of OAuth grant types that are allowed for the OAuth client.
The following grant types are currently supported:
* `authorization-code-grant`
* `refresh-token-grant`
allowed_scopes:
api_field: oauthClient.allowedScopes
arg_name: allowed-scopes
help_text: |-
A list of scopes that the OAuth client is allowed to request during OAuth flows.
The following scopes are currently supported:
* `https://www.googleapis.com/auth/cloud-platform`: View, edit, configure, and delete your
Google Cloud data, and view the email
address for your Google Account.
* `openid`: Associate you with your personal info on Google Cloud.
* `email`: The OAuth client can read a federated identity's email address.
* `groups`: The OAuth client can read a federated identity's groups.
allowed_redirect_uris:
api_field: oauthClient.allowedRedirectUris
arg_name: allowed-redirect-uris
help_text: |-
A list of redirect uris that is allowed for redirecting when the authorization is completed.
oauth_client_credential:
display_name:
api_field: oauthClientCredential.displayName
arg_name: display-name
help_text: |-
A display name for the OAuth client credential. Cannot exceed 32 characters.
disabled:
api_field: oauthClientCredential.disabled
arg_name: disabled
help_text: |-
Disables the OAuth client credential. You cannot use a disabled OAuth client credential for
OAuth. Include `--no-disabled` to enable a disabled OAuth client credential.
workload_identity_pool:
display_name:
api_field: workloadIdentityPool.displayName
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPool.displayName
BETA:
api_field: googleIamV1betaWorkloadIdentityPool.displayName
arg_name: display-name
help_text: |-
A display name for the pool. Cannot exceed 32 characters.
description:
api_field: workloadIdentityPool.description
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPool.description
BETA:
api_field: googleIamV1betaWorkloadIdentityPool.description
arg_name: description
help_text: |-
A description of the pool. Cannot exceed 256 characters.
disabled:
api_field: workloadIdentityPool.disabled
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPool.disabled
BETA:
api_field: googleIamV1betaWorkloadIdentityPool.disabled
arg_name: disabled
help_text: |-
Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use
existing tokens to access resources. If the pool is re-enabled, existing tokens grant access
again.
session_duration:
api_field: workloadIdentityPool.sessionDuration
arg_name: session-duration
type: googlecloudsdk.core.util.times:ParseDuration
processor: googlecloudsdk.core.util.times:FormatDurationForJson
help_text: |-
Overrides the lifespan of access tokens issued issued for identities in this pool. If not set,
the lifespan of issued access tokens is computed based on the type of identity provider:
- For AWS, the default access token lifespan is equal to 15
minutes.
- For OIDC providers, including Microsoft Azure, the default access token lifespan is equal to
the remaining lifespan of the exchanged OIDC ID token, with a maximum lifespan
of 1 hour.
- For SAML providers, the lifetime of the token is the minimum of session_duration
and the SessionNotOnOrAfter claim in the SAML assertion. If
session_duration is not set and the SAML assertion does not contain a
SessionNotOnOrAfter claim, it defaults to 1 hour.
If set, session duration must be between 2 minutes and 12 hours.
Organization administrators can further reduce the maximum
session_duration value using the iam-workloadIdentitySessionDuration
Resource Setting.
mode:
api_field: workloadIdentityPool.mode
arg_name: mode
help_text: |-
The mode of the pool.
inline_certificate_issuance_config_file:
api_field: workloadIdentityPool.inlineCertificateIssuanceConfig
type: "googlecloudsdk.calliope.arg_parsers:YAMLFileContents:"
processor: googlecloudsdk.command_lib.iam.iam_util:ParseYamlOrJsonToInlineCertificateIssuanceConfig
arg_name: inline-certificate-issuance-config-file
help_text: |-
YAML file with configuration for certificate issuance.
Example file format:
```yaml
inlineCertificateIssuanceConfig:
caPools:
us-east1: projects/1234/locations/us-east1/caPools/capoolname
us-west1: projects/1234/locations/us-west1/caPools/capoolname
keyAlgorithm: ECDSA_P256
lifetime: 86400s
rotationWindowPercentage: 50
```
key_algorithm:
api_field: workloadIdentityPool.inlineCertificateIssuanceConfig.keyAlgorithm
arg_name: key-algorithm
help_text: |-
Key algorithm to use when generating the key pair. This key pair will be used to create the
certificate.
certificate_lifetime:
api_field: workloadIdentityPool.inlineCertificateIssuanceConfig.lifetime
arg_name: certificate-lifetime
help_text: |-
Lifetime of the workload certificates issued by the CA pool.
rotation_window_percentage:
api_field: workloadIdentityPool.inlineCertificateIssuanceConfig.rotationWindowPercentage
arg_name: rotation-window-percentage
help_text: |-
Rotation window percentage indicating when certificate rotation should be initiated based on
remaining lifetime.
use_default_shared_ca:
api_field: workloadIdentityPool.inlineCertificateIssuanceConfig.useDefaultSharedCa
arg_name: use-default-shared-ca
action: store_true_false
help_text: |-
Whether to use the default shared CA to issue certificates.
If this flag is enabled, certificates will be automatically provisioned from the default
shared CAs. A default CA in the same region as the workload will be selected to issue the
certificate. Enabling this flag will clear any existing `ca_pools` configuration to provision
the certificates.
inline_trust_config_file:
api_field: workloadIdentityPool.inlineTrustConfig
type: "googlecloudsdk.calliope.arg_parsers:YAMLFileContents:"
processor: googlecloudsdk.command_lib.iam.iam_util:ParseYamlOrJsonToInlineTrustConfig
arg_name: inline-trust-config-file
help_text: |-
YAML file with configuration for providing additional trust bundles.
Example file format:
```yaml
inlineTrustConfig:
additionalTrustBundles:
example.com:
trustAnchors:
- pemCertificate: "-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----"
- pemCertificate: "-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----"
myorg.com:
trustAnchors:
- pemCertificate: "-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----"
- pemCertificate: "-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----"
```
enable_mesh_ca_compatibility:
api_field: workloadIdentityPool.enableMeshCaCompatibility
arg_name: enable-mesh-ca-compatibility
action: store_true
help_text: |-
Whether to enable mesh CA compatibility for the trust domain.
If set to true, the generated trust bundle for the workloads in this trust domain will
include the Cloud Service Mesh certificate authority's root CA certificates. The certificate
chain for the workload in this trust domain will be signed by the Cloud Service Mesh
certificate authority root CA.
workload_identity_pool_provider:
display_name:
api_field: workloadIdentityPoolProvider.displayName
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.displayName
BETA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.displayName
arg_name: display-name
help_text: |-
A display name for the provider. Cannot exceed 32 characters.
description:
api_field: workloadIdentityPoolProvider.description
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.description
BETA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.description
arg_name: description
required: false
help_text: |-
A description for the provider. Cannot exceed 256 characters.
disabled:
api_field: workloadIdentityPoolProvider.disabled
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.disabled
BETA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.disabled
arg_name: disabled
help_text: |-
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
However, existing tokens still grant access.
attribute_mapping:
api_field: workloadIdentityPoolProvider.attributeMapping
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.attributeMapping
BETA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.attributeMapping
arg_name: attribute-mapping
metavar: KEY=VALUE
type: "googlecloudsdk.calliope.arg_parsers:ArgDict:"
help_text: |-
Maps attributes from authentication credentials issued by an external
identity provider to Google Cloud attributes, such as `subject` and
`segment`.
Each key must be a string specifying the Google Cloud IAM attribute to
map to.
The following keys are supported:
* `google.subject`: The principal IAM is authenticating. You can reference
this value in IAM bindings. This is also the
subject that appears in Cloud Logging logs.
Cannot exceed 127 bytes.
* `google.groups`: Groups the external identity belongs to. You can grant
groups access to resources using an IAM `principalSet`
binding; access applies to all members of the group.
You can also provide custom attributes by specifying
`attribute.{custom_attribute}`, where `{custom_attribute}` is the name of
the custom attribute to be mapped. You can define a maximum of 50 custom
attributes. The maximum length of a mapped attribute key is
100 characters, and the key may only contain the characters `[a-z_0-9]`.
You can reference these attributes in IAM policies to define fine-grained
access for a workload to Google Cloud resources. For example:
* `google.subject`: `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}`
* `google.groups`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}`
* `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
Each value must be a [Common Expression Language](https://opensource.google/projects/cel)
function that maps an identity provider credential to the normalized attribute specified by
the corresponding map key.
You can use the `assertion` keyword in the expression to access a JSON
representation of the authentication credential issued by the provider.
The maximum length of an attribute mapping expression is 2048 characters.
When evaluated, the total size of all mapped attributes must not exceed
8KB.
For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping
applies:
```json
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
" + 'assumed-role/'"
" + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
```
- If any custom attribute mappings are defined, they must include a mapping
to the `google.subject` attribute.
For OIDC providers, the following rules apply:
- Custom attribute mappings must be defined, and must include a mapping to
the `google.subject` attribute. For example, the following maps the
`sub` claim of the incoming credential to the `subject` attribute on
a Google token.
```json
{"google.subject": "assertion.sub"}
```
attribute_condition:
api_field: workloadIdentityPoolProvider.attributeCondition
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.attributeCondition
BETA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.attributeCondition
arg_name: attribute-condition
help_text: |-
[A Common Expression Language](https://opensource.google/projects/cel)
expression, in plain text, to restrict what otherwise valid authentication
credentials issued by the provider should not be accepted.
The expression must output a boolean representing whether to allow the
federation.
The following keywords may be referenced in the expressions:
* `assertion`: JSON representing the authentication credential issued by
the provider.
* `google`: The Google attributes mapped from the assertion in the
`attribute_mappings`.
* `attribute`: The custom attributes mapped from the assertion in the
`attribute_mappings`.
The maximum length of the attribute condition expression is 4096
characters. If unspecified, all valid authentication credential are
accepted.
The following example shows how to only allow credentials with a mapped
`google.groups` value of `admins`:
```
"'admins' in google.groups"
```
aws_account_id:
api_field: workloadIdentityPoolProvider.aws.accountId
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.aws.accountId
BETA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.aws.accountId
arg_name: account-id
help_text: |-
The AWS account ID.
oidc_issuer_uri:
api_field: workloadIdentityPoolProvider.oidc.issuerUri
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.oidc.issuerUri
BETA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.oidc.issuerUri
arg_name: issuer-uri
help_text: |-
The OIDC issuer URL.
oidc_jwks_json_path:
api_field: workloadIdentityPoolProvider.oidc.jwksJson
type: "googlecloudsdk.calliope.arg_parsers:FileContents:"
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.oidc.jwksJson
BETA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.oidc.jwksJson
arg_name: jwk-json-path
help_text: |-
Optional file containing jwk public keys. The file format must follow
[jwk specifications](https://www.rfc-editor.org/rfc/rfc7517#section-4). Example file format:
```json
{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}
```
.
oidc_allowed_audiences:
api_field: workloadIdentityPoolProvider.oidc.allowedAudiences
ALPHA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.oidc.allowedAudiences
BETA:
api_field: googleIamV1betaWorkloadIdentityPoolProvider.oidc.allowedAudiences
arg_name: allowed-audiences
help_text: |-
Acceptable values for the `aud` field (audience) in the OIDC token. Token
exchange requests are rejected if the token audience does not match one
of the configured values. Each audience may be at most 256 characters. A
maximum of 10 audiences may be configured.
If this list is empty, the OIDC token audience must be equal to
the full canonical resource name of the workload identity pool provider,
with or without the HTTPS prefix. For example:
```
//iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
```
saml_idp_metadata_path:
api_field: workloadIdentityPoolProvider.saml.idpMetadataXml
type: "googlecloudsdk.calliope.arg_parsers:FileContents:"
arg_name: idp-metadata-path
help_text: |-
XML file with configuration metadata for the SAML identity provider. The metadata file must
follow the
[SAML 2.0 metadata specification](https://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf).
trust_store_config_path:
api_field: workloadIdentityPoolProvider.x509.trustStore
type: "googlecloudsdk.calliope.arg_parsers:YAMLFileContents:"
processor: googlecloudsdk.command_lib.iam.iam_util:ParseYamlToTrustStore
arg_name: trust-store-config-path
help_text: |-
YAML file with configuration metadata for the X.509 identity provider.
Example file format:
```yaml
trustStore:
trustAnchors:
- pemCertificate: "-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----"
intermediateCas:
- pemCertificate: "-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----"
```
workload_identity_pool_provider_key:
use:
api_field: workloadIdentityPoolProviderKey.use
arg_name: use
required: true
help_text: |-
The purpose of the key.
spec:
api_field: workloadIdentityPoolProviderKey.keyData.keySpec
arg_name: spec
required: true
help_text: |-
The specifications for the key.
workload_identity_pool_namespace:
description:
api_field: workloadIdentityPoolNamespace.description
arg_name: description
help_text: |-
A description of the namespace.
disabled:
api_field: workloadIdentityPoolNamespace.disabled
arg_name: disabled
help_text: |-
Whether the namespace is disabled. If disabled, credentials may no longer be issued for
identities in this namespace. Existing credentials may continue to be accepted until they
expire.
workload_identity_pool_managed_identity:
description:
api_field: workloadIdentityPoolManagedIdentity.description
arg_name: description
help_text: |-
A description of the managed identity.
disabled:
api_field: workloadIdentityPoolManagedIdentity.disabled
arg_name: disabled
help_text: |-
Whether the managed identity is disabled. If disabled, credentials may no longer be issued for
this identity. Existing credentials may continue to be accepted until they expire.
workforce_pool:
parent:
api_field: workforcePool.parent
arg_name: organization
required: true
help_text: The parent resource name.
display_name:
api_field: workforcePool.displayName
arg_name: display-name
help_text: A display name for the workforce pool. Cannot exceed 32 characters in length.
description:
api_field: workforcePool.description
arg_name: description
help_text: A description for the workforce pool. Cannot exceed 256 characters in length.
session_duration:
api_field: workforcePool.sessionDuration
arg_name: session-duration
help_text: |-
How long the Google Cloud access tokens, console sign-in sessions, and gcloud sign-in sessions
from this workforce pool are valid. Must be greater than 15 minutes (900s) and less than 12
hours (43200s). If not configured, minted credentials will have a default duration of one
hour (3600s).
disabled:
api_field: workforcePool.disabled
arg_name: disabled
help_text: |-
Disables the workforce pool. You cannot use a disabled workforce pool to
perform new token exchanges or sign-ins using any provider in the workforce pool. Specify
`--no-disabled` to enable a disabled pool.
disable_programmatic_signin:
api_field: workforcePool.accessRestrictions.disableProgrammaticSignin
arg_name: disable-programmatic-signin
help_text: |-
Disables the programmatic sign-in for workforce pool users. Specify
`--no-disable-security-token-exchange` to enable programmatic sign-in. For more
information, refer to Obtain short-lived tokens for workforce identity federation at
https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials
workforce_pool_provider_scim_tenant:
display_name:
api_field: workforcePoolProviderScimTenant.displayName
arg_name: display-name
help_text: |-
Optional, user-specified display name for the SCIM tenant (max 32 characters).
description:
api_field: workforcePoolProviderScimTenant.description
arg_name: description
help_text: |-
Optional, user-specified description for the SCIM tenant (max 256 characters).
claim_mapping:
api_field: workforcePoolProviderScimTenant.claimMapping
arg_name: claim-mapping
metavar: KEY=VALUE
type: "googlecloudsdk.calliope.arg_parsers:ArgDict:"
# TODO(b/412401165): Add specific SCIM claim mapping examples and link to relevant docs when available.
help_text: |-
A comma-separated list of KEY=VALUE pairs defining attribute mappings.
hard_delete:
api_field: hardDelete
arg_name: hard-delete
action: store_true
help_text: |-
Deletes the SCIM tenant immediately. This operation cannot be undone.
workforce_pool_provider_scim_token:
display_name:
api_field: workforcePoolProviderScimToken.displayName
arg_name: display-name
help_text: |-
Optional, user-specified display name for the SCIM token (max 32 characters).
show_deleted:
arg_name: show-deleted
api_field: showDeleted
action: store_true
help_text: Include soft-deleted tokens in the results.
workforce_pool_provider:
display_name:
api_field: workforcePoolProvider.displayName
arg_name: display-name
help_text: |-
A display name for the workforce pool provider. Cannot exceed 32 characters in length.
description:
api_field: workforcePoolProvider.description
arg_name: description
help_text: |-
A description for the workforce pool provider. Cannot exceed 256 characters in length.
disabled:
api_field: workforcePoolProvider.disabled
arg_name: disabled
help_text: |-
Disables the workforce pool provider. You cannot use a disabled provider to perform
new token exchanges or sign-ins. However, existing tokens still grant access. Specify
`--no-disabled` to enable a disabled pool.
detailed_audit_logging:
api_field: workforcePoolProvider.detailedAuditLogging
arg_name: detailed-audit-logging
help_text: |-
Enables detailed audit logging for this provider, which populates additional debug information
in STS Cloud Audit Logs. Specify `--no-detailed-audit-logging` to disable it.
attribute_mapping:
api_field: workforcePoolProvider.attributeMapping
arg_name: attribute-mapping
metavar: KEY=VALUE
type: "googlecloudsdk.calliope.arg_parsers:ArgDict:"
help_text: |-
Maps claims from the authentication credentials issued by the Identity Provider into Google
Cloud IAM attributes, e.g. subject, segment.
Each key must be a string specifying the Google Cloud IAM attribute to be produced.
The following predefined keys are currently supported:
* `google.subject`: required field that indicates the principal that is being authenticated to
IAM, and will be logged in all API accesses for which Cloud Audit Logging
is configured.
* `google.groups`: optional field that indicates asserted groups that the user should be
considered to belong to. You can create IAM bindings using the groups
attribute and access to a resource will be granted if any of the groups
asserted here match a group in the respective binding.
* `google.display_name`: optional field that overrides the name of the user. If not set,
`google.subject` will be displayed instead. This attribute cannot be
used in IAM policies. The maximum length of this field is 100
characters.
* `google.profile_photo`: optional fields that may be set to a valid URL specifying the user's
thumbnail photo. When set, the image will be visible as the user's
profile picture. If not set, a generic user icon will be displayed
instead. This attribute cannot be used in IAM policies.
Custom attributes can also be mapped by specifying `attribute.{custom_attribute}`, replacing
`{custom_attribute}` with the name of the custom attribute to be mapped. A maximum of 50
custom attribute mappings can be defined. The maximum length of a mapped attribute key is 2048
characters and may only contain the characters [a-z0-9_].
These attributes can then be referenced in IAM policies to define fine-grained access for the
workforce pool to Google Cloud resources by specifying:
* `google.subject`: `principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}`
* `google.groups`: `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}`
* `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}`
Each value must be a [Common Expression Language](https://opensource.google/projects/cel)
function that maps an Identity Provider credential to the normalized attribute specified by
the corresponding map key.
The following keywords may be referenced in the expressions:
* `assertion`: JSON representing the authentication credential issued by the Identity
Provider.
The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the
total size of all mapped attributes must not exceed 8KB.
Example: Map the `sub` claim of the incoming credential to the
`subject` Google Cloud IAM attribute.
```json
{"google.subject": "assertion.sub"}
```
attribute_condition:
api_field: workforcePoolProvider.attributeCondition
arg_name: attribute-condition
help_text: |-
A [Common Expression Language](https://opensource.google/projects/cel) expression, in plain
text, to restrict which otherwise valid authentication credentials issued by the provider
should be accepted.
The expression must output a boolean representing whether to allow the federation.
The following keywords may be referenced in the expressions:
* `assertion`: JSON representing the authentication credential issued by the Provider.
* `google`: The Google attributes mapped from the assertion in the `attribute_mappings`.
`google.profile_photo` and `google.display_name` are not supported.
* `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`.
The maximum length of the attribute condition expression is 4096 characters. If unspecified,
all valid authentication credential will be accepted.
Example: Only allow credentials with a mapped `google.groups` value of `admins`.
```
"'admins' in google.groups"
```
oidc_issuer_uri:
api_field: workforcePoolProvider.oidc.issuerUri
arg_name: issuer-uri
help_text: |-
The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
oidc_client_id:
api_field: workforcePoolProvider.oidc.clientId
arg_name: client-id
help_text: |-
The OIDC client ID. This must match the audience claim of the JWT issued by the identity
provider.
oidc_client_secret_value: &oidc_client_secret_value
api_field: workforcePoolProvider.oidc.clientSecret.value.plainText
arg_name: client-secret-value
help_text: |-
The OIDC client secret. Required to enable Authorization Code flow for web sign-in.
oidc_clearable_client_secret:
group:
mutex: true
params:
- arg_name: clear-client-secret
api_field: workforcePoolProvider.oidc.clientSecret
action: store_true
processor: googlecloudsdk.command_lib.iam.hooks:ClearFlag
help_text: |-
Clear the OIDC client secret.
- *oidc_client_secret_value
oidc_web_sso_response_type:
api_field: workforcePoolProvider.oidc.webSsoConfig.responseType
arg_name: web-sso-response-type
help_text: |-
Response Type to request for in the OIDC Authorization Request for web sign-in.
Use `code` to select the [authorization code flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
Use `id-token` to select the [implicit flow](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth).
oidc_web_sso_assertion_claims_behavior:
api_field: workforcePoolProvider.oidc.webSsoConfig.assertionClaimsBehavior
arg_name: web-sso-assertion-claims-behavior
help_text: |-
The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition.
Use `merge-user-info-over-id-token-claims` to merge the UserInfo Endpoint Claims with ID Token
Claims, preferring UserInfo Claim Values for the same Claim Name. Currently this option is only
available for Authorization Code flow.
Use `only-id-token-claims` to include only ID token claims.
oidc_web_sso_additional_scopes:
api_field: workforcePoolProvider.oidc.webSsoConfig.additionalScopes
arg_name: web-sso-additional-scopes
help_text: |-
Additional scopes to request for the OIDC authentication on
top of scopes requested by default. By default, the `openid`, `profile`
and `email` scopes that are supported by the identity provider are
requested.
Each additional scope may be at most 256
characters. A maximum of 10 additional scopes may be configured.
oidc_web_sso_group:
group:
required: true
params:
- api_field: workforcePoolProvider.oidc.webSsoConfig.responseType
arg_name: web-sso-response-type
required: true
help_text: |-
Response Type to request for in the OIDC Authorization Request for web sign-in.
Use `code` to select the [authorization code flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
Use `id-token` to select the [implicit flow](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth).
- api_field: workforcePoolProvider.oidc.webSsoConfig.assertionClaimsBehavior
arg_name: web-sso-assertion-claims-behavior
required: true
help_text: |-
The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition.
Use `merge-user-info-over-id-token-claims` to merge the UserInfo Endpoint Claims with ID Token
Claims, preferring UserInfo Claim Values for the same Claim Name. Currently this option is only
available for Authorization Code flow.
Use `only-id-token-claims` to include only ID token claims.
- api_field: workforcePoolProvider.oidc.webSsoConfig.additionalScopes
arg_name: web-sso-additional-scopes
help_text: |-
Additional scopes to request for the OIDC authentication on
top of scopes requested by default. By default, the `openid`, `profile`
and `email` scopes that are supported by the identity provider are
requested.
Each additional scope may be at most 256
characters. A maximum of 10 additional scopes may be configured.
oidc_jwks_json_path:
api_field: workforcePoolProvider.oidc.jwksJson
type: "googlecloudsdk.calliope.arg_parsers:FileContents:"
arg_name: jwk-json-path
help_text: |-
Optional file containing JSON Web Key (JWK) public keys. The file format must follow
[JWK specifications](https://www.rfc-editor.org/rfc/rfc7517#section-4). Example file format:
```json
{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}
```
.
saml_idp_metadata_path:
api_field: workforcePoolProvider.saml.idpMetadataXml
type: "googlecloudsdk.calliope.arg_parsers:FileContents:"
arg_name: idp-metadata-path
help_text: |-
XML file with configuration metadata for the SAML identity provider. The metadata file must
follow the
[SAML 2.0 metadata specification](https://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf).
extra_attributes_issuer_uri: &extra_attributes_issuer_uri
api_field: workforcePoolProvider.extraAttributesOauth2Client.issuerUri
arg_name: extra-attributes-issuer-uri
help_text: |-
OIDC identity provider's issuer URI. Must be a valid URI using the `https` scheme.
Required to get the OIDC discovery document.
extra_attributes_client_id: &extra_attributes_client_id
api_field: workforcePoolProvider.extraAttributesOauth2Client.clientId
arg_name: extra-attributes-client-id
help_text: |-
The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required
to get the access token using client credentials grant flow.
extra_attributes_client_secret_value: &extra_attributes_client_secret_value
api_field: workforcePoolProvider.extraAttributesOauth2Client.clientSecret.value.plainText
arg_name: extra-attributes-client-secret-value
help_text: |-
The OAuth 2.0 client secret for retrieving extra attributes from the identity provider.
Required to get the access token using client credentials grant flow.
extra_attributes_type: &extra_attributes_type
api_field: workforcePoolProvider.extraAttributesOauth2Client.attributesType
arg_name: extra-attributes-type
help_text: |-
Represents the identity provider and type of claims that should be fetched.
extra_attributes_filter: &extra_attributes_filter
api_field: workforcePoolProvider.extraAttributesOauth2Client.queryParameters.filter
arg_name: extra-attributes-filter
help_text: |-
The filter used to request specific records from the IdP.
By default, all of the groups that are associated with a user are
fetched. For Microsoft Entra ID, you can add `$search` query parameters
using [Keyword Query Language]
(https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference).
To learn more about `$search` querying in Microsoft Entra ID, see [Use
the `$search` query parameter]
(https://learn.microsoft.com/en-us/graph/search-query-parameter).
Additionally, Workforce Identity Federation automatically adds the
following [`$filter` query parameters]
(https://learn.microsoft.com/en-us/graph/filter-query-parameter), based
on the value of `attributes_type`. Values passed to `filter` are
converted to `$search` query parameters. Additional `$filter` query
parameters cannot be added using this field.
* `AZURE_AD_GROUPS_MAIL`: `mailEnabled` and `securityEnabled` filters
are applied.
* `AZURE_AD_GROUPS_ID`: `securityEnabled` filter is applied.
clear_extra_attributes_config: &clear_extra_attributes_config
arg_name: clear-extra-attributes-config
api_field: workforcePoolProvider.extraAttributesOauth2Client
action: store_true
processor: googlecloudsdk.command_lib.iam.hooks:ClearFlag
help_text: |-
Clear the extra attributes configuration
scim_usage:
arg_name: scim-usage
api_field: workforcePoolProvider.scimUsage
help_text: |-
Specifies whether the workforce identity pool provider uses SCIM-managed
groups instead of the `google.groups` attribute mapping for authorization checks.
The `scim_usage` and `extended_attributes_oauth2_client` fields are
mutually exclusive. A request that enables both fields on the same
workforce identity pool provider will produce an error.
Use `enabled-for-groups` to enable SCIM-managed groups.
Use `scim-usage-unspecified` to disable SCIM-managed groups.
attribute_sync_interval:
arg_name: attribute-sync-interval
api_field: workforcePoolProvider.attributeSyncInterval
help_text: |-
An interval that determines how often user attributes are synced from the
IdP. Must be between 30 minutes (1800s) and 12 hours (43200s). This
configuration is used only when the Google Cloud session length policy is
configured. When Google Cloud session length policy is configured and
`attribute_sync_interval` is not configured, attributes are synced after a
default interval of 12 hours (43200 seconds)
workforce_pool_provider_key:
use:
api_field: workforcePoolProviderKey.use
arg_name: use
required: true
help_text: The purpose of the key.
spec:
api_field: workforcePoolProviderKey.keyData.keySpec
arg_name: spec
required: true
help_text: The specifications for the key.

422
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/hooks.py Normal file
View File

@@ -0,0 +1,422 @@
# -*- coding: utf-8 -*- #
# Copyright 2017 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The python hooks for IAM surface."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import re
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.util import apis
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import exceptions as gcloud_exceptions
from googlecloudsdk.command_lib.iam import iam_util
from googlecloudsdk.command_lib.util.apis import arg_utils
from googlecloudsdk.core import log
def UpdateRequestWithConditionFromFile(ref, args, request):
"""Python hook to add condition from --condition-from-file to request.
Args:
ref: A resource ref to the parsed resource.
args: Parsed args namespace.
request: The apitools request message to be modified.
Returns:
The modified apitools request message.
"""
del ref
if args.IsSpecified('condition_from_file'):
_, messages = util.GetClientAndMessages()
condition_message = messages.Expr(
description=args.condition_from_file.get('description'),
title=args.condition_from_file.get('title'),
expression=args.condition_from_file.get('expression'),
)
request.condition = condition_message
return request
def _ConditionFileFormatException(filename):
return gcloud_exceptions.InvalidArgumentException(
'condition-from-file',
'{filename} must be a path to a YAML or JSON file containing the '
'condition. `expression` and `title` are required keys. `description` is '
'optional.'.format(filename=filename),
)
def ParseConditionFromFile(condition_from_file):
"""Read condition from YAML or JSON file."""
condition = arg_parsers.FileContents()(condition_from_file)
condition_dict = iam_util.ParseYamlOrJsonCondition(
condition, _ConditionFileFormatException(condition_from_file)
)
return condition_dict
def EnableIamAccountConfirmation(response, args):
del response
if args.command_path[len(args.command_path) - 3 :] == [
'iam',
'service-accounts',
'enable',
]:
log.status.Print(
'Enabled service account [{}].'.format(args.service_account)
)
def DisableIamAccountConfirmation(response, args):
del response
if args.command_path[len(args.command_path) - 3 :] == [
'iam',
'service-accounts',
'disable',
]:
log.status.Print(
'Disabled service account [{}].'.format(args.service_account)
)
def EnableIamKeyConfirmation(response, args):
del response # Unused.
log.status.Print(
'Enabled key [{0}] for service account [{1}].'.format(
args.iam_key, args.iam_account
)
)
def DisableIamKeyConfirmation(response, args):
del response # Unused.
log.status.Print(
'Disabled key [{0}] for service account [{1}].'.format(
args.iam_key, args.iam_account
)
)
def SetServiceAccountResource(ref, unused_args, request):
"""Add service account name to request name."""
request.name = ref.RelativeName()
return request
def ValidateUpdateFieldMask(ref, unused_args, request):
"""Validate the field mask for an update request."""
del ref, unused_args # Unused.
# Confirm update has at least one path in fieldmask.
if not request.patchServiceAccountRequest.updateMask:
update_fields = ['--display-name', '--description']
raise gcloud_exceptions.OneOfArgumentsRequiredException(
update_fields, 'Specify at least one field to update.'
)
return request
def UseMaxRequestedPolicyVersion(api_field):
"""Set requestedPolicyVersion to max supported in GetIamPolicy request."""
def Process(ref, args, request):
del ref, args # Unused.
arg_utils.SetFieldInMessage(
request, api_field, iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION
)
return request
return Process
def AddVersionToUpdateMaskIfNotPresent(update_mask_path):
"""Add ',version' to update_mask if it is not present."""
def Process(ref, args, request):
"""The implementation of Process for the hook."""
del ref, args # Unused.
update_mask = arg_utils.GetFieldValueFromMessage(request, update_mask_path)
if 'version' not in update_mask:
if update_mask is None:
update_mask = 'version'
else:
update_mask += ',version'
arg_utils.SetFieldInMessage(request, update_mask_path, update_mask)
return request
return Process
def CreateFullServiceAccountNameFromId(account_id):
if not account_id.isdigit():
raise gcloud_exceptions.InvalidArgumentException(
'account_id',
'Account unique ID should be a number. Please double check your input'
' and try again.',
)
return 'projects/-/serviceAccounts/' + account_id
def GeneratePublicKeyDataFromFile(path):
"""Generate public key data from a path.
Args:
path: (bytes) the public key file path given by the command.
Raises:
InvalidArgumentException: if the public key file path provided does not
exist or is too large.
Returns:
A public key encoded using the UTF-8 charset.
"""
try:
public_key_data = arg_parsers.FileContents()(path).strip()
except arg_parsers.ArgumentTypeError as e:
raise gcloud_exceptions.InvalidArgumentException(
'public_key_file',
'{}. Please double check your input and try again.'.format(e),
)
return public_key_data.encode('utf-8')
def AddCreateExtraAndExtendedAttributesConfigToRequest(ref, args, request):
"""Add ExtraAttributesOAuth2Client and ExtendedAttributesOAuth2Client fields to create workforcePoolProvider requests."""
del ref
messages = apis.GetMessagesModule('iam', 'v1')
SetExtraAttributesOauth2ClientFields(request, args, messages)
SetExtendedAttributesOauth2ClientFields(request, args, messages)
return request
def AddClearableExtraAttributesConfigToRequest(ref, args, request):
"""Add ExtraAttributesOAuth2Client fields to update workforcePoolProvider requests."""
del ref
messages = apis.GetMessagesModule('iam', 'v1')
if (
args.clear_extra_attributes_config is not None
and args.clear_extra_attributes_config
):
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extraAttributesOauth2Client',
None,
)
else:
SetExtraAttributesOauth2ClientFields(request, args, messages)
return request
def AddClearableExtendedAttributesConfigToRequest(ref, args, request):
"""Add ExtraAttributesOAuth2Client fields to update workforcePoolProvider requests."""
del ref
messages = apis.GetMessagesModule('iam', 'v1')
if (
args.clear_extended_attributes_config is not None
and args.clear_extended_attributes_config
):
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extendedAttributesOauth2Client',
None,
)
else:
SetExtendedAttributesOauth2ClientFields(request, args, messages)
return request
def SetExtraAttributesOauth2ClientFields(request, args, messages):
"""Set ExtraAttributesOauth2Client fields in the request."""
if args.extra_attributes_type is not None:
response_type = (
messages.GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2Client.AttributesTypeValueValuesEnum
)
if 'azure-ad-groups-mail' in args.extra_attributes_type:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extraAttributesOauth2Client.attributesType',
response_type.AZURE_AD_GROUPS_MAIL,
)
elif 'azure-ad-groups-id' in args.extra_attributes_type:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extraAttributesOauth2Client.attributesType',
response_type.AZURE_AD_GROUPS_ID,
)
elif 'azure-ad-groups-display-name' in args.extra_attributes_type:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extraAttributesOauth2Client.attributesType',
response_type.AZURE_AD_GROUPS_DISPLAY_NAME,
)
if args.extra_attributes_client_id is not None:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extraAttributesOauth2Client.clientId',
args.extra_attributes_client_id,
)
if args.extra_attributes_client_secret_value is not None:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extraAttributesOauth2Client.clientSecret.value.plainText',
args.extra_attributes_client_secret_value,
)
if args.extra_attributes_issuer_uri is not None:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extraAttributesOauth2Client.issuerUri',
args.extra_attributes_issuer_uri,
)
if args.extra_attributes_filter is not None:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extraAttributesOauth2Client.queryParameters.filter',
args.extra_attributes_filter,
)
def SetExtendedAttributesOauth2ClientFields(request, args, messages):
"""Set ExtendedAttributesOauth2Client fields in the request."""
if args.extended_attributes_type is not None:
response_type = (
messages.GoogleIamAdminV1WorkforcePoolProviderExtraAttributesOAuth2Client.AttributesTypeValueValuesEnum
)
if 'azure-ad-groups-id' in args.extended_attributes_type:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extendedAttributesOauth2Client.attributesType',
response_type.AZURE_AD_GROUPS_ID,
)
if args.extended_attributes_client_id is not None:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extendedAttributesOauth2Client.clientId',
args.extended_attributes_client_id,
)
if args.extended_attributes_client_secret_value is not None:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extendedAttributesOauth2Client.clientSecret.value.plainText',
args.extended_attributes_client_secret_value,
)
if args.extended_attributes_issuer_uri is not None:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extendedAttributesOauth2Client.issuerUri',
args.extended_attributes_issuer_uri,
)
if args.extended_attributes_filter is not None:
arg_utils.SetFieldInMessage(
request,
'workforcePoolProvider.extendedAttributesOauth2Client.queryParameters.filter',
args.extended_attributes_filter,
)
def AddExtraAttributesConfigFieldMask(unused_ref, args, request):
"""Adds ExtraAttributesOauth2Client specific fieldmask entries to the update workforcePoolProvider request."""
mask_fields = []
if request.updateMask:
mask_fields = request.updateMask.split(',')
if (
args.clear_extra_attributes_config is not None
and args.clear_extra_attributes_config
):
mask_fields.append('extraAttributesOauth2Client')
if args.extra_attributes_type is not None:
mask_fields.append('extraAttributesOauth2Client.attributesType')
if args.extra_attributes_client_id is not None:
mask_fields.append('extraAttributesOauth2Client.clientId')
if args.extra_attributes_client_secret_value is not None:
mask_fields.append(
'extraAttributesOauth2Client.clientSecret.value.plainText'
)
if args.extra_attributes_issuer_uri is not None:
mask_fields.append('extraAttributesOauth2Client.issuerUri')
if args.extra_attributes_filter is not None:
mask_fields.append('extraAttributesOauth2Client.queryParameters.filter')
if mask_fields:
request.updateMask = ','.join(mask_fields)
return request
def AddExtendedAttributesConfigFieldMask(unused_ref, args, request):
"""Adds ExtendedAttributesOauth2Client specific fieldmask entries to the update workforcePoolProvider request."""
mask_fields = []
if request.updateMask:
mask_fields = request.updateMask.split(',')
if (
args.clear_extended_attributes_config is not None
and args.clear_extended_attributes_config
):
mask_fields.append('extendedAttributesOauth2Client')
if args.extended_attributes_type is not None:
mask_fields.append('extendedAttributesOauth2Client.attributesType')
if args.extended_attributes_client_id is not None:
mask_fields.append('extendedAttributesOauth2Client.clientId')
if args.extended_attributes_client_secret_value is not None:
mask_fields.append(
'extendedAttributesOauth2Client.clientSecret.value.plainText'
)
if args.extended_attributes_issuer_uri is not None:
mask_fields.append('extendedAttributesOauth2Client.issuerUri')
if args.extended_attributes_filter is not None:
mask_fields.append('extendedAttributesOauth2Client.queryParameters.filter')
if mask_fields:
request.updateMask = ','.join(mask_fields)
return request
def ClearFlag(args):
"""Clear the value for a flag."""
del args
return None
def ModifyHardDeleteFlagInRequest(ref, args, request):
"""Remove the flag from the request when it is not specified."""
del ref
if not args.hard_delete:
arg_utils.SetFieldInMessage(
request,
'hardDelete',
None,
)
return request
def EraseProjectHook(unused_ref, unused_args, request):
"""Hook to erase the project identifier from the request.
Args:
unused_ref: The resource reference of the response.
unused_args: The arguments of the command.
request: The request of the command.
Returns:
The modified apitools request message.
"""
request.name = re.sub('projects/[^/]+/', 'projects/-/', request.name)
return request

1549
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/iam_util.py Normal file
View File

File diff suppressed because it is too large Load Diff

61
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/identity_pool_waiter.py Normal file
View File

@@ -0,0 +1,61 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Utilities to support identity pools long-running operations."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.util import waiter
class IdentityPoolOperationPoller(waiter.CloudOperationPoller):
"""Manages an identity pool long-running operation."""
def GetResult(self, operation):
"""Overrides.
Override the default implementation because Identity Pools
GetOperation does not return anything in the Operation.response field.
Args:
operation: api_name_message.Operation.
Returns:
result of result_service.Get request.
"""
request_type = self.result_service.GetRequestType('Get')
resource_name = '/'.join(operation.name.split('/')[:-2])
return self.result_service.Get(request_type(name=resource_name))
class IdentityPoolOperationPollerNoResources(waiter.CloudOperationPoller):
"""Manages an identity pool long-running operation that creates no resources."""
def GetResult(self, operation):
"""Overrides.
Override the default implementation because Identity Pools
GetOperation does not return anything in the Operation.response field.
Args:
operation: api_name_message.Operation.
Returns:
None
"""
return None

76
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/policies_flags.py Normal file
View File

@@ -0,0 +1,76 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Common flags for policies API commands."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
def GetAttachmentPointFlag():
return base.Argument(
'--attachment-point',
required=True,
help='Resource to which the policy is attached. For valid formats, see '
'https://cloud.google.com/iam/help/deny/attachment-point.')
def GetKindFlag():
return base.Argument(
'--kind',
required=True,
help='Policy type. Use `denypolicies` for deny policies.')
def GetPolicyIDFlag():
return base.Argument(
'policy_id',
help='Policy ID that is unique for the resource to which the policy is '
'attached.')
def GetEtagFlag():
return base.Argument(
'--etag',
help='Etag that identifies the version of the existing policy. It can be '
'obtained by running `gcloud iam policies get`. When '
'deleting a policy, if the etag is omitted, the policy is deleted '
'regardless of its current etag. When updating a policy, if the etag is '
'omitted, the update uses the etag provided in the policy file.')
def GetPolicyFileFlag():
return base.Argument(
'--policy-file', required=True, help='Path to the file that contains the '
'policy, in JSON or YAML format. For valid syntax, see '
'https://cloud.google.com/iam/help/deny/policy-syntax.')
def GetPageTokenFlag():
return base.Argument(
'--page_token',
help='Page token received from a previous call. Provide this token to '
'retrieve the next page.')
def AddIncludeDenyFlag(parser):
base.Argument(
'--include-deny',
help='Include deny policies on the project and its ancestors in the result',
action='store_true',
default=False,
).AddToParser(parser)

515
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/resources.yaml Normal file
View File

@@ -0,0 +1,515 @@
project:
name: project
collection: iam.projects
attributes:
- &project
parameter_name: projectsId
attribute_name: project
help: The project name.
property: core/project
location:
name: location
collection: iam.projects.locations
attributes:
- *project
- &location
parameter_name: locationsId
attribute_name: location
help: The location name.
disable_auto_completers: false
wf_location:
name: location
collection: iam.locations
attributes:
- &wf_location
parameter_name: locationsId
attribute_name: location
help: The location for the workforce pool.
disable_auto_completers: false
service_account:
name: serviceAccount
collection: iam.projects.serviceAccounts
attributes:
- *project
- &service_account
parameter_name: serviceAccountsId
attribute_name: service_account
help: |
The name of the IAM ServiceAccount.
disable_auto_completers: false
iam_account:
name: iamAccount
collection: iam.projects.serviceAccounts
attributes:
- *project
- &iam_account
parameter_name: serviceAccountsId
attribute_name: iam-account
help: |
The name of the IAM ServiceAccount.
disable_auto_completers: false
iam_key:
name: iamKey
collection: iam.projects.serviceAccounts.keys
attributes:
- *project
- *iam_account
- &iam_key
parameter_name: keysId
attribute_name: iam_key
help: |
The ID of the IAM ServiceAccountKey.
disable_auto_completers: false
workload_identity_pool:
name: workload identity pool
collection: iam.projects.locations.workloadIdentityPools
request_id_field: workloadIdentityPoolId
attributes:
- *project
- *location
- &workload_identity_pool
parameter_name: workloadIdentityPoolsId
attribute_name: workload_identity_pool
help: |
The ID to use for the pool, which becomes the final component of the resource name. This value
should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is
reserved for use by Google, and may not be specified.
disable_auto_completers: false
workload_identity_pool_operation:
name: workload identity pool operation
collection: iam.projects.locations.workloadIdentityPools.operations
attributes:
- *project
- *location
- *workload_identity_pool
- &workload_identity_pool_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
workload_identity_pool_provider:
name: workload identity pool provider
collection: iam.projects.locations.workloadIdentityPools.providers
request_id_field: workloadIdentityPoolProviderId
attributes:
- *project
- *location
- *workload_identity_pool
- &workload_identity_pool_provider
parameter_name: providersId
attribute_name: provider
help: |
The ID for the provider, which becomes the final component of the resource name. This value
must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is
reserved for use by Google, and may not be specified.
disable_auto_completers: false
workload_identity_pool_provider_operation:
name: workload identity pool provider operation
collection: iam.projects.locations.workloadIdentityPools.providers.operations
attributes:
- *project
- *location
- *workload_identity_pool
- *workload_identity_pool_provider
- &workload_identity_pool_provider_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
workload_identity_pool_provider_key:
name: workload identity pool provider key
collection: iam.projects.locations.workloadIdentityPools.providers.keys
request_id_field: workloadIdentityPoolProviderKeyId
attributes:
- *project
- *location
- *workload_identity_pool
- *workload_identity_pool_provider
- &workload_identity_pool_provider_key
parameter_name: keysId
attribute_name: key
help: |
The ID for the key, which becomes the final component of the resource name. This value
must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is
reserved for use by Google, and may not be specified.
disable_auto_completers: false
workload_identity_pool_provider_key_operation:
name: workload identity pool provider key operation
collection: iam.projects.locations.workloadIdentityPools.providers.keys.operations
attributes:
- *project
- *location
- *workload_identity_pool
- *workload_identity_pool_provider
- *workload_identity_pool_provider_key
- &workload_identity_pool_provider_key_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
workload_identity_pool_namespace:
name: workload identity pool namespace
collection: iam.projects.locations.workloadIdentityPools.namespaces
request_id_field: workloadIdentityPoolNamespaceId
attributes:
- *project
- *location
- *workload_identity_pool
- &workload_identity_pool_namespace
parameter_name: namespacesId
attribute_name: namespace
help: |
The ID to use for the namespace. This value must be 2-63 characters, and may contain the
characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be
specified.
disable_auto_completers: false
workload_identity_pool_namespace_operation:
name: workload identity pool namespace operation
collection: iam.projects.locations.workloadIdentityPools.namespaces.operations
attributes:
- *project
- *location
- *workload_identity_pool
- *workload_identity_pool_namespace
- &workload_identity_pool_namespace_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
workload_identity_pool_namespace_workload_source:
name: workload source
collection: iam.projects.locations.workloadIdentityPools.namespaces.workloadSources
request_id_field: workloadSourceId
attributes:
- *project
- *location
- *workload_identity_pool
- *workload_identity_pool_namespace
- &workload_identity_pool_namespace_workload_source
parameter_name: workloadSourcesId
attribute_name: workload_source
help: |
The ID of the workload source, which becomes the final component of the resource name.
This value corresponds to a boundary from within which workloads can be matched. This
value is formatted as follows:
* `project-[project_number]` - A Google Cloud project.
disable_auto_completers: false
workload_identity_pool_namespace_workload_source_operation:
name: workload source operation
collection: iam.projects.locations.workloadIdentityPools.namespaces.workloadSources.operations
attributes:
- *project
- *location
- *workload_identity_pool
- *workload_identity_pool_namespace
- *workload_identity_pool_namespace_workload_source
- &workload_identity_pool_namespace_workload_source_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
workload_identity_pool_managed_identity:
name: workload identity pool managed identity
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities
request_id_field: workloadIdentityPoolManagedIdentityId
attributes:
- *project
- *location
- *workload_identity_pool
- *workload_identity_pool_namespace
- &workload_identity_pool_managed_identity
parameter_name: managedIdentitiesId
attribute_name: managed_identity
help: |
The ID to use for the managed identity. This value must be 2-63 characters and may
contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and
may not be specified.
disable_auto_completers: false
workload_identity_pool_managed_identity_operation:
name: workload identity pool managed identity operation
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.operations
attributes:
- *project
- *location
- *workload_identity_pool
- *workload_identity_pool_namespace
- *workload_identity_pool_managed_identity
- &workload_identity_pool_managed_identity_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
workload_identity_pool_managed_identity_workload_source:
name: workload source
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.workloadSources
request_id_field: workloadSourceId
attributes:
- *project
- *location
- *workload_identity_pool
- *workload_identity_pool_namespace
- *workload_identity_pool_managed_identity
- &workload_identity_pool_managed_identity_workload_source
parameter_name: workloadSourcesId
attribute_name: workload_source
help: |
The ID of the workload source, which becomes the final component of the resource name.
This value corresponds to a boundary from within which workloads can be matched. This
value is formatted as follows:
* `project-[project_number]` - A Google Cloud project.
disable_auto_completers: false
workload_identity_pool_managed_identity_workload_source_operation:
name: workload source operation
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.workloadSources.operations
attributes:
- *project
- *location
- *workload_identity_pool
- *workload_identity_pool_namespace
- *workload_identity_pool_managed_identity
- *workload_identity_pool_managed_identity_workload_source
- &workload_identity_pool_managed_identity_workload_source_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
multitypeResources:
workload_source:
name: workload source
resources:
-*workload_identity_pool_namespace_workload_source
-*workload_identity_pool_managed_identity_workload_source
positional_workforce_pool:
name: workforce pool
collection: iam.locations.workforcePools
request_id_field: workforcePoolId
attributes:
- *wf_location
- &positional_workforce_pool
parameter_name: workforcePoolsId
attribute_name: workforce_pool
help: |
The ID to use for the workforce pool, which becomes the final component of the
resource name. This value must be a globally unique string of 6 to 63 lowercase letters,
digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen.
The prefix `gcp-` is reserved for use by Google, and may not be specified.
disable_auto_completers: false
workforce_pool:
name: workforce pool
collection: iam.locations.workforcePools
request_id_field: workforcePoolId
attributes:
- *wf_location
- &workforce_pool
parameter_name: workforcePoolsId
attribute_name: workforce-pool
help: |
The ID to use for the workforce pool, which becomes the final component of the resource name.
This value must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved
for use by Google, and may not be specified.
disable_auto_completers: false
workforce_pool_operation:
name: workforce pool operation
collection: iam.locations.workforcePools.operations
attributes:
- *wf_location
- *positional_workforce_pool
- &workforce_pool_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
workforce_pool_provider:
name: workforce pool provider
collection: iam.locations.workforcePools.providers
request_id_field: workforcePoolProviderId
attributes:
- *wf_location
- *positional_workforce_pool
- &workforce_pool_provider
parameter_name: providersId
attribute_name: provider
help: |
The ID to use for the workforce pool provider, which becomes the final component of the
resource name. This value must be unique within the workforce pool, 4-32 characters in length,
and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google,
and may not be specified.
disable_auto_completers: false
workforce_pool_provider_operation:
name: workforce pool provider operation
collection: iam.locations.workforcePools.providers.operations
attributes:
- *wf_location
- *positional_workforce_pool
- *workforce_pool_provider
- &workforce_pool_provider_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
workforce_pool_provider_key:
name: workforce pool provider key
collection: iam.locations.workforcePools.providers.keys
request_id_field: workforcePoolProviderKeyId
attributes:
- *wf_location
- *positional_workforce_pool
- *workforce_pool_provider
- &workforce_pool_provider_key
parameter_name: keysId
attribute_name: key
help: |
The ID for the key, which becomes the final component of the resource name. This value
must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is
reserved for use by Google, and may not be specified.
disable_auto_completers: false
workforce_pool_provider_key_operation:
name: workforce pool provider key operation
collection: iam.locations.workforcePools.providers.keys.operations
attributes:
- *wf_location
- *positional_workforce_pool
- *workforce_pool_provider
- *workforce_pool_provider_key
- &workforce_pool_provider_key_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
workforce_pool_subject:
name: workforce pool subject
collection: iam.locations.workforcePools.subjects
request_id_field: workforcePoolSubjectId
attributes:
- *wf_location
- *positional_workforce_pool
- &workforce_pool_subject
parameter_name: subjectsId
attribute_name: subject
help: |
The ID to use for the workforce pool subject, which becomes the final component of the
resource name.
disable_auto_completers: false
workforce_pool_subject_operation:
name: workforce pool subject operation
collection: iam.locations.workforcePools.subjects.operations
attributes:
- *wf_location
- *positional_workforce_pool
- *workforce_pool_subject
- &workforce_pool_subject_operation
parameter_name: operationsId
attribute_name: operation
help: |
The ID of the operation.
disable_auto_completers: false
workforce_pool_provider_scim_tenant:
name: workforce pool provider scim tenant
collection: iam.locations.workforcePools.providers.scimTenants
request_id_field: workforcePoolProviderScimTenantId
attributes:
- *wf_location
- *workforce_pool
- *workforce_pool_provider
- &scim_tenant_id_attr
parameter_name: scimTenantsId
attribute_name: scim-tenant
help: |
The ID for the SCIM tenant, which becomes the final component of the resource name.
This value must be 4-32 characters, alphanumeric ([a-z0-9-]), and cannot start with gcp-.
disable_auto_completers: false
workforce_pool_provider_scim_token:
name: workforce pool provider scim token
collection: iam.locations.workforcePools.providers.scimTenants.tokens
request_id_field: workforcePoolProviderScimTokenId
attributes:
- *wf_location
- *positional_workforce_pool
- *workforce_pool_provider
- *scim_tenant_id_attr
- &scim_token_id_attr
parameter_name: tokensId
attribute_name: token
help: |
The ID for the SCIM token, which becomes the final component of the resource name. This value
This value should be 4-32 characters, and may contain the characters [a-z0-9-]. It must start
with a lowercase letter, and end with a lowercase letter or number. Additionally, the prefix
`gcp-` is reserved for use by Google, and may not be specified.
disable_auto_completers: false
oauth_client:
name: oauth client
collection: iam.projects.locations.oauthClients
request_id_field: oauthClientId
attributes:
- *project
- *location
- &oauth_client
parameter_name: oauthClientsId
attribute_name: oauth_client
help: |
ID to use for the OAuth client, which becomes the final component of the resource name.
This value should be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix `gcp-` is reserved for use by Google, and may not be specified.
disable_auto_completers: false
oauth_client_credential:
name: oauth client credential
collection: iam.projects.locations.oauthClients.credentials
request_id_field: oauthClientCredentialId
attributes:
- *project
- *location
- *oauth_client
- &oauth_client_credential
parameter_name: credentialsId
attribute_name: credential
help: |
ID to use for the OAuth client credential, which becomes the final component of the
resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix `gcp-` is reserved for use by Google, and may not be specified.
disable_auto_completers: false

106
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/v3_resources.yaml Normal file
View File

@@ -0,0 +1,106 @@
# -*- coding: utf-8 -*- #
# Copyright 2025 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# NOTE: This file is autogenerated and should not be edited by hand.
# AUTOGEN_CLI_VERSION: HEAD
folders_or_organizations_or_projects_locations:
name: location
plural_name: locations
resources:
- name: location
plural_name: locations
collection: iam.folders.locations
attributes:
- &folder
parameter_name: foldersId
attribute_name: folder
help: The folder id of the {resource} resource.
- &location
parameter_name: locationsId
attribute_name: location
help: The location id of the {resource} resource.
disable_auto_completers: true
- name: location
plural_name: locations
collection: iam.organizations.locations
attributes:
- &organization
parameter_name: organizationsId
attribute_name: organization
help: The organization id of the {resource} resource.
- *location
disable_auto_completers: true
- name: location
plural_name: locations
collection: iam.projects.locations
attributes:
- &project
parameter_name: projectsId
attribute_name: project
help: The project id of the {resource} resource.
property: core/project
- *location
disable_auto_completers: true
organizations_locations:
name: location
plural_name: locations
collection: iam.organizations.locations
attributes:
- *organization
- *location
disable_auto_completers: true
folders_or_organizations_or_projects_locations_policy_bindings:
name: policyBinding
plural_name: policyBindings
resources:
- name: policyBinding
plural_name: policyBindings
collection: iam.folders.locations.policyBindings
attributes:
- *folder
- *location
- &policyBinding
parameter_name: policyBindingsId
attribute_name: policy_binding
help: The policyBinding id of the {resource} resource.
disable_auto_completers: true
- name: policyBinding
plural_name: policyBindings
collection: iam.organizations.locations.policyBindings
attributes:
- *organization
- *location
- *policyBinding
disable_auto_completers: true
- name: policyBinding
plural_name: policyBindings
collection: iam.projects.locations.policyBindings
attributes:
- *project
- *location
- *policyBinding
disable_auto_completers: true
organizations_locations_principal_access_boundary_policies:
name: principalAccessBoundaryPolicy
plural_name: principalAccessBoundaryPolicies
collection: iam.organizations.locations.principalAccessBoundaryPolicies
attributes:
- *organization
- *location
- &principalAccessBoundaryPolicy
parameter_name: principalAccessBoundaryPoliciesId
attribute_name: principal_access_boundary_policy
help: The principalAccessBoundaryPolicy id of the {resource} resource.
disable_auto_completers: false

198
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/v3alpha_resources.yaml Normal file
View File

@@ -0,0 +1,198 @@
# -*- coding: utf-8 -*- #
# Copyright 2025 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# NOTE: This file is autogenerated and should not be edited by hand.
# AUTOGEN_CLI_VERSION: HEAD
folders_or_organizations_or_projects_locations:
name: location
plural_name: locations
resources:
- name: location
plural_name: locations
collection: iam.folders.locations
attributes:
- &folder
parameter_name: foldersId
attribute_name: folder
help: The folder id of the {resource} resource.
- &location
parameter_name: locationsId
attribute_name: location
help: The location id of the {resource} resource.
disable_auto_completers: true
- name: location
plural_name: locations
collection: iam.organizations.locations
attributes:
- &organization
parameter_name: organizationsId
attribute_name: organization
help: The organization id of the {resource} resource.
- *location
disable_auto_completers: true
- name: location
plural_name: locations
collection: iam.projects.locations
attributes:
- &project
parameter_name: projectsId
attribute_name: project
help: The project id of the {resource} resource.
property: core/project
- *location
disable_auto_completers: true
organizations_locations:
name: location
plural_name: locations
collection: iam.organizations.locations
attributes:
- *organization
- *location
disable_auto_completers: true
projects_locations:
name: location
plural_name: locations
collection: iam.projects.locations
attributes:
- *project
- *location
disable_auto_completers: true
folders_or_organizations_or_projects_locations_access_policies:
name: accessPolicy
plural_name: accessPolicies
resources:
- name: accessPolicy
plural_name: accessPolicies
collection: iam.folders.locations.accessPolicies
attributes:
- *folder
- *location
- &accessPolicy
parameter_name: accessPoliciesId
attribute_name: access_policy
help: The accessPolicy id of the {resource} resource.
disable_auto_completers: true
- name: accessPolicy
plural_name: accessPolicies
collection: iam.organizations.locations.accessPolicies
attributes:
- *organization
- *location
- *accessPolicy
disable_auto_completers: true
- name: accessPolicy
plural_name: accessPolicies
collection: iam.projects.locations.accessPolicies
attributes:
- *project
- *location
- *accessPolicy
disable_auto_completers: true
folders_or_organizations_or_projects_locations_policy_bindings:
name: policyBinding
plural_name: policyBindings
resources:
- name: policyBinding
plural_name: policyBindings
collection: iam.folders.locations.policyBindings
attributes:
- *folder
- *location
- &policyBinding
parameter_name: policyBindingsId
attribute_name: policy_binding
help: The policyBinding id of the {resource} resource.
disable_auto_completers: true
- name: policyBinding
plural_name: policyBindings
collection: iam.organizations.locations.policyBindings
attributes:
- *organization
- *location
- *policyBinding
disable_auto_completers: true
- name: policyBinding
plural_name: policyBindings
collection: iam.projects.locations.policyBindings
attributes:
- *project
- *location
- *policyBinding
disable_auto_completers: true
organizations_locations_principal_access_boundary_policies:
name: principalAccessBoundaryPolicy
plural_name: principalAccessBoundaryPolicies
collection: iam.organizations.locations.principalAccessBoundaryPolicies
attributes:
- *organization
- *location
- &principalAccessBoundaryPolicy
parameter_name: principalAccessBoundaryPoliciesId
attribute_name: principal_access_boundary_policy
help: The principalAccessBoundaryPolicy id of the {resource} resource.
disable_auto_completers: false
projects_locations_policy_porters:
name: policyPorter
plural_name: policyPorters
collection: iam.projects.locations.policyPorters
attributes:
- *project
- *location
- &policyPorter
parameter_name: policyPortersId
attribute_name: policy_porter
help: The policyPorter id of the {resource} resource.
disable_auto_completers: true
projects_locations_policy_porters_translations:
name: translation
plural_name: translations
collection: iam.projects.locations.policyPorters.translations
attributes:
- *project
- *location
- *policyPorter
- &translation
parameter_name: translationsId
attribute_name: translation
help: The translation id of the {resource} resource.
disable_auto_completers: true
projects_locations_policy_porters_translations_source_policies:
name: sourcePolicy
plural_name: sourcePolicies
collection: iam.projects.locations.policyPorters.translations.sourcePolicies
attributes:
- *project
- *location
- *policyPorter
- *translation
- &sourcePolicy
parameter_name: sourcePoliciesId
attribute_name: source_policy
help: The sourcePolicy id of the {resource} resource.
disable_auto_completers: false
projects_locations_policy_porters_translations_translated_policies:
name: translatedPolicy
plural_name: translatedPolicies
collection: iam.projects.locations.policyPorters.translations.translatedPolicies
attributes:
- *project
- *location
- *policyPorter
- *translation
- &translatedPolicy
parameter_name: translatedPoliciesId
attribute_name: translated_policy
help: The translatedPolicy id of the {resource} resource.
disable_auto_completers: false

137
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/v3beta_resources.yaml Normal file
View File

@@ -0,0 +1,137 @@
# -*- coding: utf-8 -*- #
# Copyright 2025 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# NOTE: This file is autogenerated and should not be edited by hand.
# AUTOGEN_CLI_VERSION: HEAD
folders_or_organizations_or_projects_locations:
name: location
plural_name: locations
resources:
- name: location
plural_name: locations
collection: iam.folders.locations
attributes:
- &folder
parameter_name: foldersId
attribute_name: folder
help: The folder id of the {resource} resource.
- &location
parameter_name: locationsId
attribute_name: location
help: The location id of the {resource} resource.
disable_auto_completers: true
- name: location
plural_name: locations
collection: iam.organizations.locations
attributes:
- &organization
parameter_name: organizationsId
attribute_name: organization
help: The organization id of the {resource} resource.
- *location
disable_auto_completers: true
- name: location
plural_name: locations
collection: iam.projects.locations
attributes:
- &project
parameter_name: projectsId
attribute_name: project
help: The project id of the {resource} resource.
property: core/project
- *location
disable_auto_completers: true
organizations_locations:
name: location
plural_name: locations
collection: iam.organizations.locations
attributes:
- *organization
- *location
disable_auto_completers: true
folders_or_organizations_or_projects_locations_access_policies:
name: accessPolicy
plural_name: accessPolicies
resources:
- name: accessPolicy
plural_name: accessPolicies
collection: iam.folders.locations.accessPolicies
attributes:
- *folder
- *location
- &accessPolicy
parameter_name: accessPoliciesId
attribute_name: access_policy
help: The accessPolicy id of the {resource} resource.
disable_auto_completers: true
- name: accessPolicy
plural_name: accessPolicies
collection: iam.organizations.locations.accessPolicies
attributes:
- *organization
- *location
- *accessPolicy
disable_auto_completers: true
- name: accessPolicy
plural_name: accessPolicies
collection: iam.projects.locations.accessPolicies
attributes:
- *project
- *location
- *accessPolicy
disable_auto_completers: true
folders_or_organizations_or_projects_locations_policy_bindings:
name: policyBinding
plural_name: policyBindings
resources:
- name: policyBinding
plural_name: policyBindings
collection: iam.folders.locations.policyBindings
attributes:
- *folder
- *location
- &policyBinding
parameter_name: policyBindingsId
attribute_name: policy_binding
help: The policyBinding id of the {resource} resource.
disable_auto_completers: true
- name: policyBinding
plural_name: policyBindings
collection: iam.organizations.locations.policyBindings
attributes:
- *organization
- *location
- *policyBinding
disable_auto_completers: true
- name: policyBinding
plural_name: policyBindings
collection: iam.projects.locations.policyBindings
attributes:
- *project
- *location
- *policyBinding
disable_auto_completers: true
organizations_locations_principal_access_boundary_policies:
name: principalAccessBoundaryPolicy
plural_name: principalAccessBoundaryPolicies
collection: iam.organizations.locations.principalAccessBoundaryPolicies
attributes:
- *organization
- *location
- &principalAccessBoundaryPolicy
parameter_name: principalAccessBoundaryPoliciesId
attribute_name: principal_access_boundary_policy
help: The principalAccessBoundaryPolicy id of the {resource} resource.
disable_auto_completers: false

1
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/workforce_pools/__init__.py Normal file
View File

@@ -0,0 +1 @@

290
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/workforce_pools/flags.py Normal file
View File

@@ -0,0 +1,290 @@
# -*- coding: utf-8 -*- #
# Copyright 2021 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Common flags for workforce pools commands."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import base
def AddParentFlags(parser, verb):
parser.add_argument(
'--organization',
help='The parent organization of the workforce pool{0} to {1}.'.format(
's' if verb == 'list' else '', verb
),
required=True,
)
def AddLocationFlag(parser, verb):
parser.add_argument(
'--location',
help='The location of the workforce pool{0} to {1}.'.format(
's' if verb == 'list' else '', verb
),
required=True,
)
def ParseLocation(args):
if not args.IsSpecified('location'):
return 'locations/global'
return 'locations/{}'.format(args.location)
def AddClearableExtraAndExtendedAttributesOAuth2Client():
"""Creates an ArgumentGroup for ExtraAttributesOAuth2Client and ExtendedAttributesOAuth2Client Attributes for the update-oidc command."""
clear_extra_attributes_config_arg = base.Argument(
'--clear-extra-attributes-config',
dest='clear_extra_attributes_config',
action='store_true',
required=False,
help='Clear the extra attributes configuration.',
)
clear_extended_attributes_config_arg = base.Argument(
'--clear-extended-attributes-config',
dest='clear_extended_attributes_config',
action='store_true',
required=False,
help='Clear the extended attributes configuration.',
)
clearable_extra_attributes_group = base.ArgumentGroup(mutex=True)
clearable_extra_attributes_group.AddArgument(
clear_extra_attributes_config_arg
)
clearable_extra_attributes_group.AddArgument(
ExtraAttributesOAuth2ClientAttributesGroup(required=False)
)
clearable_extended_attributes_group = base.ArgumentGroup(
mutex=True,
)
clearable_extended_attributes_group.AddArgument(
clear_extended_attributes_config_arg
)
clearable_extended_attributes_group.AddArgument(
ExtendedAttributesOAuth2ClientAttributesGroup(required=False)
)
return [clearable_extra_attributes_group, clearable_extended_attributes_group]
def AddExtraAndExtendedAttributesOAuth2Client():
"""Creates an ArgumentGroup for ExtraAttributesOAuth2Client and ExtendedAttributesOAuth2Client Attributes for the create-oidc command."""
return [
ExtraAttributesOAuth2ClientAttributesGroup(),
ExtendedAttributesOAuth2ClientAttributesGroup(),
]
def ExtraAttributesOAuth2ClientAttributesGroup(required=True):
"""Creates an ArgumentGroup for ExtraAttributesOAuth2Client Attributes."""
extra_attributes_client_id_arg = base.Argument(
'--extra-attributes-client-id',
dest='extra_attributes_client_id',
type=str,
required=required,
metavar='EXTRA_ATTRIBUTES_CLIENT_ID',
help=(
'The OAuth 2.0 client ID for retrieving extra attributes from the'
' identity provider. Required to get the access token using client'
' credentials grant flow.'
),
)
extra_attributes_client_secret_value_arg = base.Argument(
'--extra-attributes-client-secret-value',
dest='extra_attributes_client_secret_value',
type=str,
required=required,
metavar='EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE',
help=(
'The OAuth 2.0 client secret for retrieving extra attributes from'
' the identity provider. Required to get the access token using'
' client credentials grant flow.'
),
)
extra_attributes_issuer_uri_arg = base.Argument(
'--extra-attributes-issuer-uri',
dest='extra_attributes_issuer_uri',
type=str,
required=required,
metavar='EXTRA_ATTRIBUTES_ISSUER_URI',
help=(
"OIDC identity provider's issuer URI. Must be a valid URI using"
' the `https` scheme. Required to get the OIDC discovery'
' document.'
),
)
# Adding this flag as a ArgList to hide `AZURE_AD_GROUPS_DISPLAY_NAME` from
# the end user. Currently there is no other way to hide new enum choices.
# These flags will move back to enum types once feature is ready for launch
extra_attributes_type_arg = base.Argument(
'--extra-attributes-type',
dest='extra_attributes_type',
type=arg_parsers.ArgList(
choices=[
'azure-ad-groups-mail',
'azure-ad-groups-id',
'azure-ad-groups-display-name',
],
hidden_choices=['azure-ad-groups-display-name'],
max_length=1,
min_length=1,
),
required=required,
metavar='EXTRA_ATTRIBUTES_TYPE',
help=(
'Represents the identity provider and type of claims that should'
' be fetched.'
),
)
extra_attributes_filter_arg = base.Argument(
'--extra-attributes-filter',
dest='extra_attributes_filter',
type=str,
required=False,
metavar='EXTRA_ATTRIBUTES_FILTER',
help=(
'The filter used to request specific records from the IdP. By'
' default, all of the groups that are associated with a user are'
' fetched. For Microsoft Entra ID, you can add `$search` query'
' parameters using [Keyword Query Language]'
' (https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference).'
' To learn more about `$search` querying in Microsoft Entra ID, see'
' [Use the `$search` query parameter]'
' (https://learn.microsoft.com/en-us/graph/search-query-parameter).'
' \n\nAdditionally, Workforce Identity Federation automatically adds'
' the following [`$filter` query parameters]'
' (https://learn.microsoft.com/en-us/graph/filter-query-parameter),'
' based on the value of `attributes_type`. Values passed to `filter`'
' are converted to `$search` query parameters. Additional `$filter`'
' query parameters cannot be added using this field. \n\n*'
' `AZURE_AD_GROUPS_MAIL`: `mailEnabled` and `securityEnabled` filters'
' are applied. \n* `AZURE_AD_GROUPS_ID`: `securityEnabled` filter is'
' applied.'
),
)
create_extra_attributes_group = base.ArgumentGroup()
create_extra_attributes_group.AddArgument(extra_attributes_client_id_arg)
create_extra_attributes_group.AddArgument(
extra_attributes_client_secret_value_arg
)
create_extra_attributes_group.AddArgument(extra_attributes_issuer_uri_arg)
create_extra_attributes_group.AddArgument(extra_attributes_type_arg)
create_extra_attributes_group.AddArgument(extra_attributes_filter_arg)
return create_extra_attributes_group
def ExtendedAttributesOAuth2ClientAttributesGroup(required=True):
"""Creates an ArgumentGroup for ExtendedAttributesOAuth2Client Attributes."""
extended_attributes_client_id_arg = base.Argument(
'--extended-attributes-client-id',
dest='extended_attributes_client_id',
type=str,
required=required,
metavar='EXTENDED_ATTRIBUTES_CLIENT_ID',
help=(
'The OAuth 2.0 client ID for retrieving extended attributes from the'
' identity provider. Required to get extended group memberships for'
' a subset of Google Cloud products.'
),
)
extended_attributes_client_secret_value_arg = base.Argument(
'--extended-attributes-client-secret-value',
dest='extended_attributes_client_secret_value',
type=str,
required=required,
metavar='EXTENDED_ATTRIBUTES_CLIENT_SECRET_VALUE',
help=(
'The OAuth 2.0 client secret for retrieving extended attributes from'
' the identity provider. Required to get extended group memberships'
' for a subset of Google Cloud products.'
),
)
extended_attributes_issuer_uri_arg = base.Argument(
'--extended-attributes-issuer-uri',
dest='extended_attributes_issuer_uri',
type=str,
required=required,
metavar='EXTENDED_ATTRIBUTES_ISSUER_URI',
help=(
"OIDC identity provider's issuer URI. Must be a valid URI using"
' the `https` scheme. Required to get the OIDC discovery'
' document.'
),
)
# Adding this flag as a ArgList to hide `AZURE_AD_GROUPS_DISPLAY_NAME` from
# the end user. Currently there is no other way to hide new enum choices.
# These flags will move back to enum types once feature is ready for launch
extended_attributes_type_arg = base.Argument(
'--extended-attributes-type',
dest='extended_attributes_type',
type=arg_parsers.ArgList(
choices=[
'azure-ad-groups-id',
],
max_length=1,
min_length=1,
),
required=required,
metavar='EXTENDED_ATTRIBUTES_TYPE',
help=(
'Represents the identity provider and type of claims that should'
' be fetched.'
),
)
extended_attributes_filter_arg = base.Argument(
'--extended-attributes-filter',
dest='extended_attributes_filter',
type=str,
required=False,
metavar='EXTENDED_ATTRIBUTES_FILTER',
help=(
'The filter used to request specific records from the IdP. By'
' default, all of the groups that are associated with a user are'
' fetched. For Microsoft Entra ID, you can add `$search` query'
' parameters using [Keyword Query Language]'
' (https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference).'
' To learn more about `$search` querying in Microsoft Entra ID, see'
' [Use the `$search` query parameter]'
' (https://learn.microsoft.com/en-us/graph/search-query-parameter).'
' \n\nAdditionally, Workforce Identity Federation automatically adds'
' the following [`$filter` query parameters]'
' (https://learn.microsoft.com/en-us/graph/filter-query-parameter),'
' based on the value of `attributes_type`. Values passed to `filter`'
' are converted to `$search` query parameters. Additional `$filter`'
' query parameters cannot be added using this field. \n\n*'
' `AZURE_AD_GROUPS_ID`: `securityEnabled` filter is applied.'
),
)
create_extended_attributes_group = base.ArgumentGroup()
create_extended_attributes_group.AddArgument(
extended_attributes_client_id_arg
)
create_extended_attributes_group.AddArgument(
extended_attributes_client_secret_value_arg
)
create_extended_attributes_group.AddArgument(
extended_attributes_issuer_uri_arg
)
create_extended_attributes_group.AddArgument(extended_attributes_type_arg)
create_extended_attributes_group.AddArgument(extended_attributes_filter_arg)
return create_extended_attributes_group

0
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/workload_identity_pools/__init__.py Normal file
View File

111
gcloud auth application-default login/google-cloud-sdk/lib/googlecloudsdk/command_lib/iam/workload_identity_pools/flags.py Normal file
View File

@@ -0,0 +1,111 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Common flags for workload identity pools commands."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import re
from typing import Collection
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import exceptions as gcloud_exceptions
def ParseSingleAttributeSelectorArg(arg_name, arg_value: Collection[str]):
"""Parses a single attribute selector argument."""
_, messages = util.GetClientAndMessages()
single_attribute_selector_matcher = re.compile('([^=]+)(?:=)(.+)', re.DOTALL)
single_attribute_selectors = []
for arg in arg_value:
match = single_attribute_selector_matcher.match(arg)
if not match:
raise gcloud_exceptions.InvalidArgumentException(
arg_name, 'Invalid flag value [{0}]'.format(arg)
)
single_attribute_selectors.append(
messages.SingleAttributeSelector(
attribute=match.group(1), value=match.group(2)
)
)
return single_attribute_selectors
# TODO(b/301983349): Delete this once other CLs have been submitted.
def AddGcpWorkloadSourceFlags(parser):
parser.add_argument(
'--resources',
type=arg_parsers.ArgList(),
help='A list of allowed resources for the workload source.',
metavar='RESOURCE',
)
parser.add_argument(
'--attached-service-accounts',
type=arg_parsers.ArgList(),
help=(
'A list of allowed attached_service_accounts for the workload source.'
),
metavar='SERVICE_ACCOUNT',
)
# TODO(b/301983349): Delete this once other CLs have been submitted.
def AddUpdateWorkloadSourceFlags(parser):
"""Adds the flags for update workload source command."""
parser.add_argument(
'--add-resources',
type=arg_parsers.ArgList(),
help='A list of allowed resources to add to the workload source.',
metavar='RESOURCE',
)
parser.add_argument(
'--add-attached-service-accounts',
type=arg_parsers.ArgList(),
help=(
'A list of allowed attached_service_accounts to add to the workload'
' source.'
),
metavar='SERVICE_ACCOUNT',
)
parser.add_argument(
'--remove-resources',
type=arg_parsers.ArgList(),
help='A list of allowed resources to remove from the workload source.',
metavar='RESOURCE',
)
parser.add_argument(
'--remove-attached-service-accounts',
type=arg_parsers.ArgList(),
help=(
'A list of allowed attached_service_accounts to remove from the'
' workload source.'
),
metavar='SERVICE_ACCOUNT',
)
parser.add_argument(
'--clear-resources',
help='Remove all the allowed resources for the workload source.',
action='store_true',
)
parser.add_argument(
'--clear-attached-service-accounts',
help=(
'Remove all the allowed attached_service_accounts for the workload'
' source.'
),
action='store_true',
)