davidkotnik/novafarma
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add new gcloud commands, API clients, and third-party libraries across various services.

Browse Source
This commit is contained in:
David Kotnik
2026-01-01 20:26:35 +01:00
parent 5e23cbece0
commit a19e592eb7
25221 changed files with 8324611 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/__init__.py Normal file
View File

@@ -0,0 +1,31 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools command group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.UniverseCompatible
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class WorkloadPools(base.Group):
"""Manage IAM workload identity pools.
Commands for managing IAM workload identity pools.
"""

120
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/add_attestation_rule.py Normal file
View File

@@ -0,0 +1,120 @@
# -*- coding: utf-8 -*- #
# Copyright 2025 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to add an attestation rule on a workload identity pool."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.util import waiter
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam import identity_pool_waiter
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
from googlecloudsdk.core import resources as sdkresources
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.GA)
@base.Hidden
class AddAttestationRule(base.Command):
"""Add an attestation rule on a workload identity pool."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command adds an attestation rule with a Google Cloud
resource on a workload identity pool `my-pool`.
$ {command} my-pool \
--location="global" \
--google-cloud-resource="//run.googleapis.com/projects/123/type/Service/*"
""",
}
@staticmethod
def Args(parser):
workload_pool_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool'
)
concept_parsers.ConceptParser.ForResource(
'workload_identity_pool',
concepts.ResourceSpec.FromYaml(
workload_pool_data.GetData(), is_positional=True
),
'The workload identity pool to add the attestation rule on.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--google-cloud-resource',
help="""A single workload running on Google Cloud. This will be set
in the attestation rule to be added.""",
required=True,
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
workload_pool_ref = args.CONCEPTS.workload_identity_pool.Parse()
add_attestation_rule_request = messages.AddAttestationRuleRequest(
attestationRule=messages.AttestationRule(
googleCloudResource=args.google_cloud_resource,
)
)
lro_ref = client.projects_locations_workloadIdentityPools.AddAttestationRule(
messages.IamProjectsLocationsWorkloadIdentityPoolsAddAttestationRuleRequest(
resource=workload_pool_ref.RelativeName(),
addAttestationRuleRequest=add_attestation_rule_request,
)
)
log.status.Print(
'Add attestation rule request issued for: [{}]'.format(
workload_pool_ref.workloadIdentityPoolsId
)
)
if args.async_:
return lro_ref
result = waiter.WaitFor(
poller=identity_pool_waiter.IdentityPoolOperationPollerNoResources(
client.projects_locations_workloadIdentityPools,
client.projects_locations_workloadIdentityPools_operations,
),
operation_ref=sdkresources.REGISTRY.ParseRelativeName(
lro_ref.name,
collection=(
'iam.projects.locations.workloadIdentityPools.operations'
),
),
message='Waiting for operation [{}] to complete'.format(lro_ref.name),
# Wait for a maximum of 5 minutes, as the IAM replication has a lag of
# up to 80 seconds.
max_wait_ms=300000,
)
log.status.Print(
'Added attestation rule for [{}].'.format(
workload_pool_ref.workloadIdentityPoolsId
)
)
return result

54
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/add_iam_policy_binding.yaml Normal file
View File

@@ -0,0 +1,54 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
release_tracks: [GA]
help_text:
brief: Add IAM policy binding for a workload identity pool.
description: |
Adds a policy binding to the IAM policy of a workload identity pool, given a
workload identity pool ID and the binding. A binding consists of at least one member, a role, and
an optional condition.
examples: |
To add an IAM policy binding for the role of `roles/iam.workloadIdentityPoolViewer` for the user
`test-user@gmail.com` on a workload identity pool with identifier `my-workload-identity-pool`, run:
$ {command} my-workload-identity-pool --location="global" --member='user:test-user@gmail.com' --role='roles/iam.workloadIdentityPoolViewer'
To add an IAM policy binding for the role of `roles/iam.workloadIdentityPoolViewer` for
all authenticated users on a workload identity pool with identifier `my-workload-identity-pool`, run:
$ {command} my-workload-identity-pool --location="global" --member='allAuthenticatedUsers' --role='roles/iam.workloadIdentityPoolViewer'
To add an IAM policy binding that expires at the end of the year 2024 for the role of `roles/iam.workloadIdentityPoolViewer`
and the user `test-user@gmail.com` on a workload identity pool with identifier `my-workload-identity-pool`, run:
$ {command} my-workload-identity-pool --location="global" --member='user:test-user@gmail.com' --role='roles/iam.workloadIdentityPoolViewer' --condition='expression=request.time < timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2024,description=Expires at midnight on 2024-12-31'
See https://cloud.google.com/iam/docs/managing-policies for details on
policy role and member types.
request:
collection: iam.projects.locations.workloadIdentityPools
arguments:
resource:
help_text: The workload identity pool to add the IAM policy binding for.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
iam:
enable_condition: true
policy_version: 3
get_iam_policy_version_path: getIamPolicyRequest.options.requestedPolicyVersion

96
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/create.yaml Normal file
View File

@@ -0,0 +1,96 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Create a new workload identity pool.
description: Create a new workload identity pool.
examples: |
The following command creates a disabled workload identity pool in the default project with the
ID ``my-workload-identity-pool''. Explicit values for all required and optional parameters are
provided.
$ {command} my-workload-identity-pool \
--location="global" \
--display-name="My workload pool" \
--description="My workload pool description" \
--disabled
request:
collection: iam.projects.locations.workloadIdentityPools
arguments:
resource:
help_text: |-
The workload identity pool to create.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.disabled
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.session_duration
hidden: true
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.mode
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.enable_mesh_ca_compatibility
hidden: true
- group:
mutex: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.inline_certificate_issuance_config_file
- group:
hidden: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.use_default_shared_ca
hidden: true
- group:
mutex: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.inline_trust_config_file
# ALPHA and BETA release track should not be updated going forward. All preview features should be
# added to the GA release track and marked as hidden.
- release_tracks: [ALPHA, BETA]
help_text:
brief: Create a new workload identity pool.
description: Create a new workload identity pool.
examples: |
The following command creates a disabled workload identity pool in the default project with the
ID ``my-workload-identity-pool''. Explicit values for all required and optional parameters are
provided.
$ {command} my-workload-identity-pool \
--location="global" \
--display-name="My workload pool" \
--description="My workload pool description" \
--disabled
request:
collection: iam.projects.locations.workloadIdentityPools
api_version: v1beta
arguments:
resource:
help_text: |-
The workload identity pool to create.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.disabled

186
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/create_cred_config.py Normal file
View File

@@ -0,0 +1,186 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to create a configuration file to allow authentication from 3rd party sources."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import textwrap
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions
from googlecloudsdk.command_lib.iam import flags
from googlecloudsdk.command_lib.iam.byoid_utilities import cred_config
@base.UniverseCompatible
class CreateCredConfig(base.CreateCommand):
"""Create a configuration file for generated credentials.
This command creates a configuration file to allow access to authenticated
Google Cloud actions from a variety of external accounts.
"""
detailed_help = {
'EXAMPLES': textwrap.dedent("""\
To create a file-sourced credential configuration for your project, run:
$ {command} projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-source-file=$PATH_TO_OIDC_ID_TOKEN --output-file=credentials.json
To create a URL-sourced credential configuration for your project, run:
$ {command} projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-source-url=$URL_FOR_OIDC_TOKEN --credential-source-headers=Key=Value --output-file=credentials.json
To create an executable-source credential configuration for your project, run the following command:
$ {command} locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND --executable-timeout-millis=30000 --executable-output-file=$CACHE_FILE --output-file=credentials.json
To create an AWS-based credential configuration for your project, run:
$ {command} projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --aws --enable-imdsv2 --output-file=credentials.json
To create an Azure-based credential configuration for your project, run:
$ {command} projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --azure --app-id-uri=$URI_FOR_AZURE_APP_ID --output-file=credentials.json
To create an X.509 certificate-based credential configuration for your project, run:
$ {command} projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-cert-path=$PATH_TO_CERTIFICATE_FILE --credential-cert-private-key-path=$PATH_TO_PRIVATE_KEY_FILE --output-file=credentials.json
To use the resulting file for any of these commands, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the generated file
"""),
}
@classmethod
def Args(cls, parser):
# Add args common between workload and workforce.
flags.AddCommonByoidCreateConfigFlags(
parser, cred_config.ConfigType.WORKLOAD_IDENTITY_POOLS)
parser.add_argument(
'audience',
help='The workload identity pool provider fully qualified identifier.',
)
credential_types = parser.add_group(
mutex=True, required=True, help='Credential types.'
)
credential_types.add_argument(
'--credential-source-file',
help='Location of the credential source file.',
)
credential_types.add_argument(
'--credential-source-url', help='URL to obtain the credential from.'
)
credential_types.add_argument(
'--executable-command',
help=(
'The full command to run to retrieve the credential. Must be an'
' absolute path for the program including arguments.'
),
)
credential_types.add_argument('--aws', help='Use AWS.', action='store_true')
credential_types.add_argument(
'--azure', help='Use Azure.', action='store_true'
)
credential_types.add_argument(
'--credential-cert-path', help='Path of the X.509 certificate file.'
)
# Optional args.
parser.add_argument(
'--subject-token-type',
help='The type of token being used for authorization. '
+ 'This defaults to urn:ietf:params:oauth:token-type:jwt.',
)
parser.add_argument(
'--app-id-uri',
help='The custom Application ID URI for the Azure access token.',
)
parser.add_argument(
'--enable-imdsv2',
help=(
'Adds the AWS IMDSv2 session token Url to the credential source to'
' enforce the AWS IMDSv2 flow.'
),
action='store_true',
)
certificate_args = parser.add_group(
help='Arguments for an X.509 certificate type credential source.'
)
certificate_args.add_argument(
'--credential-cert-private-key-path',
help='Path of the X.509 private key file.',
required=True,
)
certificate_args.add_argument(
'--credential-cert-configuration-output-file',
help=(
'Path for the certificate configuration file. If specified, a'
' certificate configuration file will be created at the specified'
' path. If not specified, the certificate configuration will be'
' created at the default gcloud location.'
),
)
certificate_args.add_argument(
'--credential-cert-trust-chain-path',
help=(
'Path for the trust chain file. A trust chain file is required'
' if there are intermediate certificates in the certificate chain'
' in between the root certificate stored in the workload identity'
' pool provider trust store. This trust chain file should be a list'
' of PEM certificates, with the leaf certificate at the top.'
),
)
parser.add_argument(
'--sts-location',
help=(
'The location to use for the Security Token Service token '
'endpoint. For example, specifying `us-central1` will configure '
'the client to use the regional endpoint '
'`sts.us-central1.rep.googleapis.com`. If not specified, the '
'global endpoint `sts.googleapis.com` is used.'
),
)
def _ValidateArgs(self, args):
if args.enable_imdsv2 and not args.aws:
raise exceptions.ConflictingArgumentsException(
'--enable-imdsv2 can be used only for AWS credential types'
)
if args.credential_cert_private_key_path and not args.credential_cert_path:
raise exceptions.ConflictingArgumentsException(
'--credential-cert-private-key-path can be used only for X.509'
' certificate credential types'
)
if (args.sts_location and args.sts_location != 'global') and (
args.credential_cert_path
or args.credential_cert_private_key_path
or args.credential_cert_trust_chain_path
):
# X.509 federation is not GA-ed on REP/locational endpoints.
raise exceptions.ConflictingArgumentsException(
'Workload Identity Federation with X.509 certificates is not'
' supported on locational Security Token Service endpoints.'
)
def Run(self, args):
self._ValidateArgs(args)
cred_config.create_credential_config(
args, cred_config.ConfigType.WORKLOAD_IDENTITY_POOLS
)

36
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/delete.yaml Normal file
View File

@@ -0,0 +1,36 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Delete a workload identity pool.
description: Delete a workload identity pool.
examples: |
The following command deletes the workload identity pool with the ID
``my-workload-identity-pool'':
$ {command} my-workload-identity-pool --location="global"
request:
collection: iam.projects.locations.workloadIdentityPools
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: The workload identity pool to delete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: true

36
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/describe.yaml Normal file
View File

@@ -0,0 +1,36 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Describe a workload identity pool.
description: Describe a workload identity pool.
examples: |
The following command describes the workload identity pool with the ID
``my-workload-identity-pool'':
$ {command} my-workload-identity-pool --location="global"
request:
collection: iam.projects.locations.workloadIdentityPools
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: The workload identity pool to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: true

38
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/get_iam_policy.yaml Normal file
View File

@@ -0,0 +1,38 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
release_tracks: [GA]
help_text:
brief: Get the IAM policy for a workload identity pool.
description: Get the IAM policy for a workload identity pool.
examples: |
The following command gets the IAM policy for the workload identity pool with ID `my-workload-identity-pool`:
$ {command} my-workload-identity-pool --location="global"
The following command gets the IAM policy for the workload identity pool with ID `my-workload-identity-pool`
and outputs as a JSON which can be edited and used as the policy file input for `set-iam-policy` command:
$ {command} my-workload-identity-pool --location="global" --format=json
request:
collection: iam.projects.locations.workloadIdentityPools
arguments:
resource:
help_text: The workload identity pool for which you want to get IAM policy for.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: true

41
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/list.yaml Normal file
View File

@@ -0,0 +1,41 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: List workload identity pools.
description: List workload identity pools.
examples: |
The following command lists all workload identity pools in the default project, including
soft-deleted pools:
$ {command} --location="global" --show-deleted
request:
collection: iam.projects.locations.workloadIdentityPools
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: The location you want to list workload identity pools for.
spec: !REF googlecloudsdk.command_lib.iam.resources:location
params:
- api_field: showDeleted
arg_name: show-deleted
required: false
help_text: Whether to return soft-deleted pools.

85
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/list_attestation_rules.py Normal file
View File

@@ -0,0 +1,85 @@
# -*- coding: utf-8 -*- #
# Copyright 2025 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to add an attestation rule on a workload identity pool."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from apitools.base.py import list_pager
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.GA)
@base.Hidden
class ListAttestationRules(base.ListCommand):
"""List the attestation rules on a workload identity pool."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command lists the attestation rules on a workload
identity pool `my-pool` with a container id filter.
$ {command} my-pool \
--location="global" \
--container-id-filter="projects/123,projects/456"
""",
}
@staticmethod
def Args(parser):
workload_pool_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool'
)
concept_parsers.ConceptParser.ForResource(
'workload_identity_pool',
concepts.ResourceSpec.FromYaml(
workload_pool_data.GetData(), is_positional=True
),
'The workload identity pool to list attestation rules for.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--container-id-filter',
help="""Apply a filter on the container ids of the attestation rules
being listed. Expects a comma-delimited string of project
numbers in the format `projects/<project-number>,...`.""",
)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
workload_pool_ref = args.CONCEPTS.workload_identity_pool.Parse()
return list_pager.YieldFromList(
client.projects_locations_workloadIdentityPools,
messages.IamProjectsLocationsWorkloadIdentityPoolsListAttestationRulesRequest(
filter=f'container_ids({args.container_id_filter})'
if args.container_id_filter
else '',
resource=workload_pool_ref.RelativeName(),
),
method='ListAttestationRules',
batch_size=args.page_size,
limit=args.limit,
field='attestationRules',
batch_size_attribute='pageSize',
)

30
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/__init__.py Normal file
View File

@@ -0,0 +1,30 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools managed-identities command group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.UniverseCompatible
@base.ReleaseTracks(base.ReleaseTrack.GA)
class WorkloadPoolManagedIdentities(base.Group):
"""Manage IAM workload identity pool managed identities.
Commands for managing IAM workload identity pool managed identities.
"""

121
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/add_attestation_rule.py Normal file
View File

@@ -0,0 +1,121 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to add an attestation rule on a workload identity pool managed identity."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.util import waiter
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam import identity_pool_waiter
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
from googlecloudsdk.core import resources as sdkresources
@base.DefaultUniverseOnly
class AddAttestationRule(base.Command):
"""Add an attestation rule on a workload identity pool managed identity."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command adds an attestation rule with a Google Cloud
resource on a workload identity pool managed identity
`my-managed-identity`.
$ {command} my-managed-identity --namespace="my-namespace" \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--google-cloud-resource="//compute.googleapis.com/projects/123/type/Instance/attached_service_account.uid/12345"
""",
}
@staticmethod
def Args(parser):
managed_identity_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_managed_identity'
)
concept_parsers.ConceptParser.ForResource(
'managed_identity',
concepts.ResourceSpec.FromYaml(
managed_identity_data.GetData(), is_positional=True
),
'The workload identity pool managed identity to add attestation'
' rule on.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--google-cloud-resource',
help="""A single workload operating on Google Cloud. This will be set
in the attestation rule to be added.""",
required=True,
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
managed_identity_ref = args.CONCEPTS.managed_identity.Parse()
add_attestation_rule_request = messages.AddAttestationRuleRequest(
attestationRule=messages.AttestationRule(
googleCloudResource=args.google_cloud_resource,
)
)
lro_ref = client.projects_locations_workloadIdentityPools_namespaces_managedIdentities.AddAttestationRule(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesAddAttestationRuleRequest(
resource=managed_identity_ref.RelativeName(),
addAttestationRuleRequest=add_attestation_rule_request,
)
)
log.status.Print(
'Add attestation rule request issued for: [{}]'.format(
managed_identity_ref.managedIdentitiesId
)
)
if args.async_:
return lro_ref
result = waiter.WaitFor(
poller=identity_pool_waiter.IdentityPoolOperationPollerNoResources(
client.projects_locations_workloadIdentityPools_namespaces_managedIdentities,
client.projects_locations_workloadIdentityPools_namespaces_managedIdentities_operations,
),
operation_ref=sdkresources.REGISTRY.ParseRelativeName(
lro_ref.name,
collection=(
'iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.operations'
),
),
message='Waiting for operation [{}] to complete'.format(lro_ref.name),
# Wait for a maximum of 5 minutes, as the IAM replication has a lag of
# up to 80 seconds.
max_wait_ms=300000,
)
log.status.Print(
'Added attestation rule for [{}].'.format(
managed_identity_ref.managedIdentitiesId
)
)
return result

45
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/create.yaml Normal file
View File

@@ -0,0 +1,45 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Create a workload identity pool managed identity.
description: Create a workload identity pool managed identity.
examples: |
The following command creates a workload identity pool managed identity with the
ID `my-managed-identity`:
$ {command} my-managed-identity \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--description="My managed identity description" \
--disabled
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities
async:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.operations
arguments:
resource:
help_text: |-
Workload identity pool managed identity to create.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_managed_identity
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_managed_identity.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_managed_identity.disabled

39
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/delete.yaml Normal file
View File

@@ -0,0 +1,39 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Delete a workload identity pool managed identity.
description: Delete a workload identity pool managed identity.
examples: |
The following command deletes a workload identity pool managed identity in the default project
with the ID `my-managed-identity`.
$ {command} my-managed-identity \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities
async:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.operations
arguments:
resource:
help_text: |-
Workload identity pool managed identity to delete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_managed_identity
is_positional: true

36
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/describe.yaml Normal file
View File

@@ -0,0 +1,36 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Describe a workload identity pool managed identity.
description: Describe a workload identity pool managed identity.
examples: |
The following command describes a workload identity pool managed identity in the default
project with the ID `my-managed-identity`.
$ {command} my-managed-identity \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities
arguments:
resource:
help_text: |-
Workload identity pool managed identity to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_managed_identity
is_positional: true

42
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/list.yaml Normal file
View File

@@ -0,0 +1,42 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: List workload identity pool managed identities.
description: List workload identity pool managed identities.
examples: |
The following command lists all managed identities in the workload identity pool namespace,
including soft-deleted managed identities:
$ {command} \
--namespace="my-namespace" \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--show-deleted
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities
arguments:
resource:
help_text: Parent workload identity pool namespace to list managed identities for.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace
is_positional: false
params:
- api_field: showDeleted
arg_name: show-deleted
required: false
help_text: Whether to return soft-deleted resources.

85
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/list_attestation_rules.py Normal file
View File

@@ -0,0 +1,85 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to add an attestation rule on a workload identity pool managed identity."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from apitools.base.py import list_pager
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
@base.UniverseCompatible
class ListAttestationRules(base.ListCommand):
"""List the attestation rules on a workload identity pool managed identity."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command lists the attestation rules on a workload
identity pool managed identity `my-managed-identity` with a
container id filter.
$ {command} my-managed-identity --namespace="my-namespace" \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--container-id-filter="projects/123,projects/456"
""",
}
@staticmethod
def Args(parser):
managed_identity_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_managed_identity'
)
concept_parsers.ConceptParser.ForResource(
'managed_identity',
concepts.ResourceSpec.FromYaml(
managed_identity_data.GetData(), is_positional=True
),
'The managed identity to list attestation rules.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--container-id-filter',
help="""Apply a filter on the container ids of the attestation rules
being listed. Expects a comma-delimited string of project
numbers in the format `projects/<project-number>,...`.""",
)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
managed_identity_ref = args.CONCEPTS.managed_identity.Parse()
return list_pager.YieldFromList(
client.projects_locations_workloadIdentityPools_namespaces_managedIdentities,
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesListAttestationRulesRequest(
filter=f'container_ids({ args.container_id_filter})'
if args.container_id_filter
else '',
resource=managed_identity_ref.RelativeName(),
),
method='ListAttestationRules',
batch_size=args.page_size,
limit=args.limit,
field='attestationRules',
batch_size_attribute='pageSize',
)

31
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/operations/__init__.py Normal file
View File

@@ -0,0 +1,31 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools managed-identities operations group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.UniverseCompatible
@base.ReleaseTracks(base.ReleaseTrack.GA)
class WorkloadPoolManagedIdentityOperations(base.Group):
"""Manage IAM workload identity pool managed identity long running operations.
Commands for managing IAM workload identity pool managed identity long running
operations.
"""

36
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/operations/describe.yaml Normal file
View File

@@ -0,0 +1,36 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Describe a workload identity pool managed identity operation.
description: Describe a workload identity pool managed identity operation.
examples: |
The following command describes the long-running workload identity pool managed identity
operation with the ID `my-operation`:
$ {command} my-operation \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--managed-identity="my-managed-identity" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.operations
arguments:
resource:
help_text: Workload identity pool managed identity long-running operation to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_managed_identity_operation
is_positional: true

123
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/remove_attestation_rule.py Normal file
View File

@@ -0,0 +1,123 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to remove an attestation rule on a workload identity pool managed identity."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.util import waiter
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam import identity_pool_waiter
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
from googlecloudsdk.core import resources as sdkresources
@base.UniverseCompatible
class RemoveAttestationRule(base.Command):
"""Remove an attestation rule on a workload identity pool managed identity."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command removes an attestation rule with a Google Cloud
resource on a workload identity pool managed identity
`my-managed-identity`.
$ {command} my-managed-identity --namespace="my-namespace" \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--google-cloud-resource="//compute.googleapis.com/projects/123/type/Instance/attached_service_account.uid/12345"
""",
}
@staticmethod
def Args(parser):
managed_identity_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_managed_identity'
)
concept_parsers.ConceptParser.ForResource(
'managed_identity',
concepts.ResourceSpec.FromYaml(
managed_identity_data.GetData(), is_positional=True
),
'The workload identity pool managed identity to remove attestation'
' rule on.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--google-cloud-resource',
help="""A single workload operating on Google Cloud. This will be set
in the attestation rule to be added.""",
required=True,
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
managed_identity_ref = (
args.CONCEPTS.managed_identity.Parse()
)
remove_attestation_rule_request = messages.RemoveAttestationRuleRequest(
attestationRule=messages.AttestationRule(
googleCloudResource=args.google_cloud_resource,
)
)
lro_ref = client.projects_locations_workloadIdentityPools_namespaces_managedIdentities.RemoveAttestationRule(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesRemoveAttestationRuleRequest(
resource=managed_identity_ref.RelativeName(),
removeAttestationRuleRequest=remove_attestation_rule_request,
)
)
log.status.Print(
'Remove attestation rule request issued for: [{}]'.format(
managed_identity_ref.managedIdentitiesId
)
)
if args.async_:
return lro_ref
result = waiter.WaitFor(
poller=identity_pool_waiter.IdentityPoolOperationPollerNoResources(
client.projects_locations_workloadIdentityPools_namespaces_managedIdentities,
client.projects_locations_workloadIdentityPools_namespaces_managedIdentities_operations,
),
operation_ref=sdkresources.REGISTRY.ParseRelativeName(
lro_ref.name,
collection=(
'iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.operations'
),
),
message='Waiting for operation [{}] to complete'.format(lro_ref.name),
# Wait for a maximum of 5 minutes, as the IAM replication has a lag of
# up to 80 seconds.
max_wait_ms=300000,
)
log.status.Print(
'Removed attestation rule for [{}].'.format(
managed_identity_ref.managedIdentitiesId
)
)
return result

133
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/set_attestation_rules.py Normal file
View File

@@ -0,0 +1,133 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to set attestation rules on a workload identity pool managed identity."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from apitools.base.py import encoding
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.util import waiter
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions as gcloud_exceptions
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam import identity_pool_waiter
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
from googlecloudsdk.core import resources as sdkresources
from googlecloudsdk.core import yaml
import six
@base.UniverseCompatible
class SetAttestationRules(base.Command):
"""Set attestation rules on a workload identity pool managed identity."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command sets attestation rules on a workload identity
pool managed identity `my-managed-identity` using a policy file.
$ {command} my-managed-identity --namespace="my-namespace" \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--policy-file="policy.json"
""",
}
@staticmethod
def Args(parser):
managed_identity_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_managed_identity'
)
concept_parsers.ConceptParser.ForResource(
'managed_identity',
concepts.ResourceSpec.FromYaml(
managed_identity_data.GetData(), is_positional=True
),
'The workload identity pool managed identity to set attestation'
' rules on.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--policy-file',
help="""\
Path to a local JSON-formatted or YAML-formatted file containing an
attestation policy, structured as a [list of attestation rules](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.namespaces.managedIdentities/setAttestationRules#request-body).
""",
required=True,
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
managed_identity_ref = args.CONCEPTS.managed_identity.Parse()
policy_to_parse = yaml.load_path(args.policy_file)
try:
set_attestation_rules_request = encoding.PyValueToMessage(
messages.SetAttestationRulesRequest, policy_to_parse
)
except AttributeError as e:
# Raised when the input file is not properly formatted YAML policy file.
raise gcloud_exceptions.BadFileException(
'Policy file [{0}] is not a properly formatted YAML or JSON '
'policy file. {1}'.format(args.policy_file, six.text_type(e))
)
lro_ref = client.projects_locations_workloadIdentityPools_namespaces_managedIdentities.SetAttestationRules(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesSetAttestationRulesRequest(
resource=managed_identity_ref.RelativeName(),
setAttestationRulesRequest=set_attestation_rules_request,
)
)
log.status.Print(
'Set attestation rules request issued for: [{}]'.format(
managed_identity_ref.managedIdentitiesId
)
)
if args.async_:
return lro_ref
result = waiter.WaitFor(
poller=identity_pool_waiter.IdentityPoolOperationPollerNoResources(
client.projects_locations_workloadIdentityPools_namespaces_managedIdentities,
client.projects_locations_workloadIdentityPools_namespaces_managedIdentities_operations,
),
operation_ref=sdkresources.REGISTRY.ParseRelativeName(
lro_ref.name,
collection=(
'iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.operations'
),
),
message='Waiting for operation [{}] to complete'.format(lro_ref.name),
# Wait for a maximum of 5 minutes, as the IAM replication has a lag of
# up to 80 seconds.
max_wait_ms=300000,
)
log.status.Print(
'Set attestation rules for [{}].'.format(
managed_identity_ref.managedIdentitiesId
)
)
return result

40
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/undelete.yaml Normal file
View File

@@ -0,0 +1,40 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Undelete a workload identity pool managed identity.
description: Undelete a workload identity pool managed identity.
examples: |
The following command undeletes a workload identity pool managed identity in the default
project with the ID `my-managed-identity`.
$ {command} my-managed-identity \
--location="global" \
--workload-identity-pool="my-workload-identity-pool"
--namespace="my-namespace"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities
method: undelete
async:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.operations
arguments:
resource:
help_text: |-
Workload identity pool managed identity to undelete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_managed_identity
is_positional: true

45
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/update.yaml Normal file
View File

@@ -0,0 +1,45 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Update workload identity pool managed identity.
description: Update workload identity pool managed identity.
examples: |
The following command updates the workload identity pool managed identity with the
ID `my-managed-identity`:
$ {command} my-managed-identity \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--description="My managed identity description" \
--disabled
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities
async:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.operations
arguments:
resource:
help_text: |-
Workload identity pool managed identity to update.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_managed_identity
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_managed_identity.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_managed_identity.disabled

32
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/workload_sources/__init__.py Normal file
View File

@@ -0,0 +1,32 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools managed-identities workload-sources command group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.Hidden
@base.ReleaseTracks(base.ReleaseTrack.GA)
class WorkloadSources(base.Group):
"""Manage IAM workload identity pool managed identity workload sources.
Workload sources define which workloads can attest an identity within a
pool. When a Workload source is defined for a managed identity, matching
workloads may receive that specific identity.
"""

124
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/workload_sources/create.py Normal file
View File

@@ -0,0 +1,124 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to create a workload source under a workload identity pool managed identity."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.iam.workload_identity_pools import workload_sources
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions as gcloud_exceptions
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam.workload_identity_pools import flags
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
class CreateGcp(base.CreateCommand):
"""Create a workload source for a workload identity pool managed identity."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command creates a workload source for a workload
identity pool managed identity that authorizes any Compute Engine
instance in the Google Cloud project `123` based on their attached
service account.
$ {command} project-123 --location="global" \\
--workload-identity-pool="my-workload-identity-pool" \\
--namespace="my-namespace" \\
--managed-identity="my-managed-identity" \\
--single-attribute-selectors="compute.googleapis.com/Instance.attached_service_account.email='foo@bar.iam.gserviceaccount.com'"
""",
}
@staticmethod
def Args(parser):
workload_source_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_managed_identity_workload_source'
)
concept_parsers.ConceptParser.ForResource(
'workload_source',
concepts.ResourceSpec.FromYaml(
workload_source_data.GetData(), is_positional=True
),
'The workload source to create.',
required=True,
).AddToParser(parser)
# Flags for creating workload source
parser.add_argument(
'--single-attribute-selectors',
type=arg_parsers.ArgList(),
help=(
'The attributes that a workload can attest for it to be allowed to '
'receive a managed identity.'
),
metavar='SINGLE_ATTRIBUTE_SELECTORS',
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
self.CheckArgs(args)
client, messages = util.GetClientAndMessages()
workload_source_ref = args.CONCEPTS.workload_source.Parse()
lro_ref = client.projects_locations_workloadIdentityPools_namespaces_managedIdentities_workloadSources.Create(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesCreateRequest(
parent=workload_source_ref.Parent().RelativeName(),
workloadSource=messages.WorkloadSource(
singleAttributeSelectors=flags.ParseSingleAttributeSelectorArg(
arg_name='--single-attribute-selectors',
arg_value=args.single_attribute_selectors,
),
),
workloadSourceId=workload_source_ref.workloadSourcesId,
)
)
log.status.Print(
'Create request issued for: [{}]'.format(
workload_source_ref.workloadSourcesId
)
)
if args.async_:
return lro_ref
result = workload_sources.WaitForWorkloadSourceOperation(
client=client,
lro_ref=lro_ref,
for_managed_identity=True,
)
log.status.Print(
'Created workload source [{}].'.format(
workload_source_ref.workloadSourcesId
)
)
return result
def CheckArgs(self, args):
if not args.single_attribute_selectors:
raise gcloud_exceptions.OneOfArgumentsRequiredException(
['--single-attribute-selectors'],
'Must provide at least one selector that will match workload(s) '
'from the source.',
)

41
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/workload_sources/delete.yaml Normal file
View File

@@ -0,0 +1,41 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
hidden: true
help_text:
brief: Delete a workload identity pool managed identity workload source.
description: Delete a workload identity pool managed identity workload source.
examples: |
The following command deletes a workload identity pool managed identity worklaod source in the
default project with the ID ``project-123''.
$ {command} project-123 \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--managed identity="my-managed-identity"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.workloadSources
async:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.workloadSources.operations
arguments:
resource:
help_text: |-
The workload identity pool managed identity workload source to delete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_managed_identity_workload_source
is_positional: true

38
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/workload_sources/describe.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
hidden: true
help_text:
brief: Describe a workload identity pool managed identity workload source.
description: Describe a workload identity pool managed identity workload source.
examples: |
The following command describes a workload identity pool managed identity workload source in
the default project with the ID ``project-123''.
$ {command} project-123 \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--managed-identity="my-managed-identity"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.workloadSources
arguments:
resource:
help_text: |-
The workload identity pool managed identity workload source to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_managed_identity_workload_source
is_positional: true

37
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/workload_sources/list.yaml Normal file
View File

@@ -0,0 +1,37 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
hidden: true
help_text:
brief: List workload identity pool managed identity workload sources.
description: List workload identity pool managed identity workload sources.
examples: |
The following command lists all workload sources in the workload identity pool managed
identity:
$ {command} \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--managed-identity="my-managed identity" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.workloadSources
arguments:
resource:
help_text: The parent workload identity pool managed identity to list workload sources for.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_managed_identity
is_positional: false

31
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/workload_sources/operations/__init__.py Normal file
View File

@@ -0,0 +1,31 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools managed-identities workload-sources operations group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.Hidden
@base.ReleaseTracks(base.ReleaseTrack.GA)
class WorkloadSourceOperations(base.Group):
"""Manage IAM workload identity pool managed identity workload source long running operations.
Commands for managing IAM workload identity pool managed identity workload
source long running operations.
"""

38
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/workload_sources/operations/describe.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
hidden: true
help_text:
brief: Describe a workload identity pool managed identity workload source operation.
description: Describe a workload identity pool managed identity workload source operation.
examples: |
The following command describes the long-running workload identity pool managed identity
workload source operation with the ID `my-operation`:
$ {command} my-operation \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--managed-identity="my-managed-identity" \
--workload-source="project-123" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.managedIdentities.workloadSources.operations
arguments:
resource:
help_text: Workload identity pool managed identity workload source long-running operation to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_managed_identity_workload_source_operation
is_positional: true

226
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/managed_identities/workload_sources/update.py Normal file
View File

@@ -0,0 +1,226 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to update a workload source under a workload identity pool managed identity."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import operator
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.iam.workload_identity_pools import workload_sources
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions as gcloud_exceptions
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam.workload_identity_pools import flags
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
class Update(base.UpdateCommand):
"""Update a workload source for a workload identity pool managed identity."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command matches Compute Instances within the
Google Cloud project 123 based on their attached service account.
$ {command} project-123 --location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--managed-identity="my-managed-identity" \
--add-single-attribute-selectors="compute.googleapis.com/Instance.attached_service_account.email='foo@bar.iam.gserviceaccount.com'"
The following command stops matching Compute Instances within the
Google Cloud project 123 based on their attached service account.
$ {command} project-123 --location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--managed-identity="my-managed-identity" \
--remove-single-attribute-selectors="compute.googleapis.com/Instance.attached_service_account.email='foo@bar.iam.gserviceaccount.com'"
""",
}
@staticmethod
def Args(parser):
workload_source_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_managed_identity_workload_source'
)
concept_parsers.ConceptParser.ForResource(
'workload_source',
concepts.ResourceSpec.FromYaml(
workload_source_data.GetData(), is_positional=True
),
'The workload source to update.',
required=True,
).AddToParser(parser)
# Flags for updating workload source
parser.add_argument(
'--single-attribute-selectors',
type=arg_parsers.ArgList(),
help=(
'Add an attribute that a workload can attest for it to be allowed '
'to receive a managed identity.'
),
metavar='SINGLE_ATTRIBUTE_SELECTORS',
)
parser.add_argument(
'--add-single-attribute-selectors',
type=arg_parsers.ArgList(),
help=(
'Add an attribute that a workload can attest for it to be allowed '
'to receive a managed identity.'
),
metavar='SINGLE_ATTRIBUTE_SELECTOR',
)
parser.add_argument(
'--remove-single-attribute-selectors',
type=arg_parsers.ArgList(),
help=(
'Removes an attribute that a workload can attest for it to be '
'allowed to receive a managed identity.'
),
metavar='SINGLE_ATTRIBUTE_SELECTOR',
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
self.CheckArgs(args)
client, messages = util.GetClientAndMessages()
workload_source_ref = args.CONCEPTS.workload_source.Parse()
# Maybe replace the full set of selectors.
if args.single_attribute_selectors:
workload_source = messages.WorkloadSource(
name=workload_source_ref.RelativeName(),
singleAttributeSelectors=flags.ParseSingleAttributeSelectorArg(
'--single-attribute-selectors',
args.single_attribute_selectors,
),
)
else:
# If we're doing incremental adds/removes then we need to call the server
# first to fetch the current set of selectors.
workload_source = client.projects_locations_workloadIdentityPools_namespaces_workloadSources.Get(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesGetRequest(
name=workload_source_ref.RelativeName()
)
)
updated_selector_list = self.ReconcileSingleAttributeSelectorList(
args, workload_source.singleAttributeSelectors
)
workload_source.singleAttributeSelectors.clear()
workload_source.singleAttributeSelectors.extend(updated_selector_list)
lro_ref = client.projects_locations_workloadIdentityPools_namespaces_managedIdentities_workloadSources.Patch(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesPatchRequest(
name=workload_source.name,
workloadSource=workload_source,
updateMask='single_attribute_selectors',
)
)
log.status.Print(
'Update request issued for: [{}]'.format(
workload_source_ref.workloadSourcesId
)
)
if args.async_:
return lro_ref
# Wait for the LRO to complete.
result = workload_sources.WaitForWorkloadSourceOperation(
client=client,
lro_ref=lro_ref,
for_managed_identity=True,
)
log.status.Print(
'Updated workload source [{}].'.format(
workload_source_ref.workloadSourcesId
)
)
return result
def CheckArgs(self, args):
if (
not args.add_single_attribute_selectors
and not args.remove_single_attribute_selectors
and not args.single_attribute_selectors
):
raise gcloud_exceptions.OneOfArgumentsRequiredException(
[
'--single-attribute-selectors',
'--add-single-attribute-selectors',
'--remove-attribute-selectors',
],
'Must add or remove at least one selector that will match workload(s)'
' from the source.',
)
def ReconcileSingleAttributeSelectorList(self, args, original_selector_list):
updated_selectors = set()
# Add all existing selectors
updated_selectors.update(
map(self.ToHashableSelector, original_selector_list)
)
# Add single attribute selectors
if args.add_single_attribute_selectors:
updated_selectors.update(
map(
self.ToHashableSelector,
flags.ParseSingleAttributeSelectorArg(
'--add-single-attribute-selectors',
args.add_single_attribute_selectors,
),
)
)
# Remove single attribute selectors
if args.remove_single_attribute_selectors:
for selector in map(
self.ToHashableSelector,
flags.ParseSingleAttributeSelectorArg(
'--remove-single-attribute-selectors',
args.remove_single_attribute_selectors,
),
):
updated_selectors.discard(selector)
# Covert to proto and return
return sorted(
list(map(self.ToProtoSelector, updated_selectors)),
# Sort results to guarantee stable results across platforms and versions
key=operator.attrgetter('attribute', 'value'),
)
def ToHashableSelector(self, proto_selector):
"""Converts the given SingleAttributeSelector proto into a hashable type."""
return tuple([proto_selector.attribute, proto_selector.value])
def ToProtoSelector(self, hashable_selector):
"""Converts the given hashable SingleAttributeSelector into a proto."""
_, messages = util.GetClientAndMessages()
return messages.SingleAttributeSelector(
attribute=hashable_selector[0],
value=hashable_selector[1],
)

30
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/__init__.py Normal file
View File

@@ -0,0 +1,30 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools namespaces command group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.UniverseCompatible
@base.ReleaseTracks(base.ReleaseTrack.GA)
class WorkloadPoolNamespaces(base.Group):
"""Manage IAM workload identity pool namespaces.
Commands for managing IAM workload identity pool namespaces.
"""

118
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/add_attestation_rule.py Normal file
View File

@@ -0,0 +1,118 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to add an attestation rule on a workload identity pool namespace."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.util import waiter
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam import identity_pool_waiter
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
from googlecloudsdk.core import resources as sdkresources
@base.Hidden
@base.UniverseCompatible
class AddAttestationRule(base.Command):
"""Add an attestation rule on a workload identity pool namespace."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command adds an attestation rule with a Google Cloud
resource on a workload identity pool namespace `my-namespace`.
$ {command} my-namespace \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--google-cloud-resource="//compute.googleapis.com/projects/123/type/Instance/attached_service_account.uid/12345"
""",
}
@staticmethod
def Args(parser):
namespace_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_namespace'
)
concept_parsers.ConceptParser.ForResource(
'namespace',
concepts.ResourceSpec.FromYaml(
namespace_data.GetData(), is_positional=True
),
'The workload identity pool namespace to add attestation rule on.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--google-cloud-resource',
help="""A single workload operating on Google Cloud. This will be set
in the attestation rule to be added.""",
required=True,
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
namespace_ref = args.CONCEPTS.namespace.Parse()
add_attestation_rule_request = messages.AddAttestationRuleRequest(
attestationRule=messages.AttestationRule(
googleCloudResource=args.google_cloud_resource
)
)
lro_ref = client.projects_locations_workloadIdentityPools_namespaces.AddAttestationRule(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesAddAttestationRuleRequest(
resource=namespace_ref.RelativeName(),
addAttestationRuleRequest=add_attestation_rule_request,
)
)
log.status.Print(
'Add attestation rule request issued for: [{}]'.format(
namespace_ref.namespacesId
)
)
if args.async_:
return lro_ref
result = waiter.WaitFor(
poller=identity_pool_waiter.IdentityPoolOperationPollerNoResources(
client.projects_locations_workloadIdentityPools_namespaces,
client.projects_locations_workloadIdentityPools_namespaces_operations,
),
operation_ref=sdkresources.REGISTRY.ParseRelativeName(
lro_ref.name,
collection=(
'iam.projects.locations.workloadIdentityPools.namespaces.operations'
),
),
message='Waiting for operation [{}] to complete'.format(lro_ref.name),
# Wait for a maximum of 5 minutes, as the IAM replication has a lag of
# up to 80 seconds.
max_wait_ms=300000,
)
log.status.Print(
'Added attestation rule for [{}].'.format(namespace_ref.namespacesId)
)
return result

44
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/create.yaml Normal file
View File

@@ -0,0 +1,44 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Create a workload identity pool namespace.
description: Create a workload identity pool namespace.
examples: |
The following command creates a workload identity pool namespace with the
ID `my-namespace`:
$ {command} my-namespace \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--description="My namespace description" \
--disabled
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces
async:
collection: iam.projects.locations.workloadIdentityPools.namespaces.operations
arguments:
resource:
help_text: |-
The workload identity pool namespace to create.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_namespace.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_namespace.disabled

38
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/delete.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Delete a workload identity pool namespace.
description: Delete a workload identity pool namespace.
examples: |
The following command deletes a workload identity pool namespace in the default project with
the ID ``my-namespace''.
$ {command} my-namespace \
--location="global" \
--workload-identity-pool="my-workload-identity-pool"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces
async:
collection: iam.projects.locations.workloadIdentityPools.namespaces.operations
arguments:
resource:
help_text: |-
The workload identity pool namespace to delete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace
is_positional: true

35
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/describe.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Describe a workload identity pool namespace.
description: Describe a workload identity pool namespace.
examples: |
The following command describes a workload identity pool namespace in the default project with
the ID ``my-namespace''.
$ {command} my-namespace \
--location="global" \
--workload-identity-pool="my-workload-identity-pool"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces
arguments:
resource:
help_text: |-
The workload identity pool namespace to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace
is_positional: true

41
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/list.yaml Normal file
View File

@@ -0,0 +1,41 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: List workload identity pool namespaces.
description: List workload identity pool namespaces.
examples: |
The following command lists all namespaces in the workload identity pool, including
soft-deleted namespaces:
$ {command} \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--show-deleted
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces
arguments:
resource:
help_text: The parent workload identity pool to list namespaces for.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: false
params:
- api_field: showDeleted
arg_name: show-deleted
required: false
help_text: Whether to return soft-deleted resources.

85
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/list_attestation_rules.py Normal file
View File

@@ -0,0 +1,85 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to add an attestation rule on a workload identity pool namespace."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from apitools.base.py import list_pager
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
@base.Hidden
@base.UniverseCompatible
class ListAttestationRules(base.ListCommand):
"""List the attestation rules on a workload identity pool namespace."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command lists the attestation rules on a workload
identity pool namespace `my-namespace` with a container id filter.
$ {command} my-namespace \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--container-id-filter="projects/123,projects/456"
""",
}
@staticmethod
def Args(parser):
namespace_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_namespace'
)
concept_parsers.ConceptParser.ForResource(
'namespace',
concepts.ResourceSpec.FromYaml(
namespace_data.GetData(), is_positional=True
),
'The namespace to list attestation rules.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--container-id-filter',
help="""Apply a filter on the container ids of the attestation rules
being listed. Expects a comma-delimited string of project
numbers in the format `projects/<project-number>,...`.""",
)
base.URI_FLAG.RemoveFromParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
namespace_ref = args.CONCEPTS.namespace.Parse()
return list_pager.YieldFromList(
client.projects_locations_workloadIdentityPools_namespaces,
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesListAttestationRulesRequest(
filter=f'container_ids({ args.container_id_filter})'
if args.container_id_filter
else '',
resource=namespace_ref.RelativeName(),
),
method='ListAttestationRules',
batch_size=args.page_size,
limit=args.limit,
field='attestationRules',
batch_size_attribute='pageSize',
)

31
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/operations/__init__.py Normal file
View File

@@ -0,0 +1,31 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools namespaces operations group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.UniverseCompatible
@base.ReleaseTracks(base.ReleaseTrack.GA)
class WorkloadPoolNamespaceOperations(base.Group):
"""Manage IAM workload identity pool namespace long running operations.
Commands for managing IAM workload identity pool namespace long running
operations.
"""

35
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/operations/describe.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Describe a workload identity pool namespace operation.
description: Describe a workload identity pool namespace operation.
examples: |
The following command describes the long-running workload identity pool namespace operation
with the ID ``my-operation'':
$ {command} my-operation \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.operations
arguments:
resource:
help_text: The workload identity pool namespace long-running operation to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace_operation
is_positional: true

118
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/remove_attestation_rule.py Normal file
View File

@@ -0,0 +1,118 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to remove an attestation rule on a workload identity pool namespace."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.util import waiter
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam import identity_pool_waiter
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
from googlecloudsdk.core import resources as sdkresources
@base.Hidden
@base.UniverseCompatible
class RemoveAttestationRule(base.Command):
"""Remove an attestation rule on a workload identity pool namespace."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command removes an attestation rule with a Google Cloud
resource on a workload identity pool namespace `my-namespace`.
$ {command} my-namespace \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--google-cloud-resource="//compute.googleapis.com/projects/123/type/Instance/attached_service_account.uid/12345"
""",
}
@staticmethod
def Args(parser):
namespace_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_namespace'
)
concept_parsers.ConceptParser.ForResource(
'namespace',
concepts.ResourceSpec.FromYaml(
namespace_data.GetData(), is_positional=True
),
'The workload identity pool namespace to remove attestation rule on.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--google-cloud-resource',
help="""A single workload operating on Google Cloud. This will be set
in the attestation rule to be added.""",
required=True,
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
namespace_ref = args.CONCEPTS.namespace.Parse()
remove_attestation_rule_request = messages.RemoveAttestationRuleRequest(
attestationRule=messages.AttestationRule(
googleCloudResource=args.google_cloud_resource,
)
)
lro_ref = client.projects_locations_workloadIdentityPools_namespaces.RemoveAttestationRule(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesRemoveAttestationRuleRequest(
resource=namespace_ref.RelativeName(),
removeAttestationRuleRequest=remove_attestation_rule_request,
)
)
log.status.Print(
'Remove attestation rule request issued for: [{}]'.format(
namespace_ref.namespacesId
)
)
if args.async_:
return lro_ref
result = waiter.WaitFor(
poller=identity_pool_waiter.IdentityPoolOperationPollerNoResources(
client.projects_locations_workloadIdentityPools_namespaces,
client.projects_locations_workloadIdentityPools_namespaces_operations,
),
operation_ref=sdkresources.REGISTRY.ParseRelativeName(
lro_ref.name,
collection=(
'iam.projects.locations.workloadIdentityPools.namespaces.operations'
),
),
message='Waiting for operation [{}] to complete'.format(lro_ref.name),
# Wait for a maximum of 5 minutes, as the IAM replication has a lag of
# up to 80 seconds.
max_wait_ms=300000,
)
log.status.Print(
'Removed attestation rule for [{}].'.format(namespace_ref.namespacesId)
)
return result

131
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/set_attestation_rules.py Normal file
View File

@@ -0,0 +1,131 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to set attestation rules on a workload identity pool namespace."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from apitools.base.py import encoding
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.util import waiter
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions as gcloud_exceptions
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam import identity_pool_waiter
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
from googlecloudsdk.core import resources as sdkresources
from googlecloudsdk.core import yaml
import six
@base.Hidden
@base.UniverseCompatible
class AddAttestationRule(base.Command):
"""Set attestation rules on a workload identity pool namespace."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command sets attestation rules on a workload identity
pool namespace `my-namespace` using a policy file.
$ {command} my-namespace \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--policy-file="policy.json"
""",
}
@staticmethod
def Args(parser):
namespace_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_namespace'
)
concept_parsers.ConceptParser.ForResource(
'namespace',
concepts.ResourceSpec.FromYaml(
namespace_data.GetData(), is_positional=True
),
'The workload identity pool namespace to set attestations rule on.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--policy-file',
help="""\
Path to a local JSON-formatted or YAML-formatted file containing an
attestation policy, structured as a [list of attestation rules](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.namespaces/setAttestationRules#request-body).
""",
required=True,
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
namespace_ref = args.CONCEPTS.namespace.Parse()
policy_to_parse = yaml.load_path(args.policy_file)
try:
set_attestation_rules_request = encoding.PyValueToMessage(
messages.SetAttestationRulesRequest, policy_to_parse
)
except AttributeError as e:
# Raised when the input file is not properly formatted YAML policy file.
raise gcloud_exceptions.BadFileException(
'Policy file [{0}] is not a properly formatted YAML or JSON '
'policy file. {1}'.format(args.policy_file, six.text_type(e))
)
lro_ref = client.projects_locations_workloadIdentityPools_namespaces.SetAttestationRules(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesSetAttestationRulesRequest(
resource=namespace_ref.RelativeName(),
setAttestationRulesRequest=set_attestation_rules_request,
)
)
log.status.Print(
'Set attestation rules request issued for: [{}]'.format(
namespace_ref.namespacesId
)
)
if args.async_:
return lro_ref
result = waiter.WaitFor(
poller=identity_pool_waiter.IdentityPoolOperationPollerNoResources(
client.projects_locations_workloadIdentityPools_namespaces,
client.projects_locations_workloadIdentityPools_namespaces_operations,
),
operation_ref=sdkresources.REGISTRY.ParseRelativeName(
lro_ref.name,
collection=(
'iam.projects.locations.workloadIdentityPools.namespaces.operations'
),
),
message='Waiting for operation [{}] to complete'.format(lro_ref.name),
# Wait for a maximum of 5 minutes, as the IAM replication has a lag of
# up to 80 seconds.
max_wait_ms=300000,
)
log.status.Print(
'Set attestation rules for [{}].'.format(namespace_ref.namespacesId)
)
return result

39
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/undelete.yaml Normal file
View File

@@ -0,0 +1,39 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Undelete a workload identity pool namespace.
description: Undelete a workload identity pool namespace.
examples: |
The following command undeletes a workload identity pool namespace in the default project with
the ID ``my-namespace''.
$ {command} my-namespace \
--location="global" \
--workload-identity-pool="my-workload-identity-pool"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces
method: undelete
async:
collection: iam.projects.locations.workloadIdentityPools.namespaces.operations
arguments:
resource:
help_text: |-
The workload identity pool namespace to undelete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace
is_positional: true

44
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/update.yaml Normal file
View File

@@ -0,0 +1,44 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Update workload identity pool namespace.
description: Update workload identity pool namespace.
examples: |
The following command updates the workload identity pool namespace with the
ID my-namespace:
$ {command} my-namespace \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--description="My namespace description" \
--disabled
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces
async:
collection: iam.projects.locations.workloadIdentityPools.namespaces.operations
arguments:
resource:
help_text: |-
The workload identity pool namespace to update.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_namespace.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_namespace.disabled

32
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/workload_sources/__init__.py Normal file
View File

@@ -0,0 +1,32 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools namespaces workload-sources command group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.Hidden
@base.ReleaseTracks(base.ReleaseTrack.GA)
class WorkloadSources(base.Group):
"""Manage IAM workload identity pool namespace workload sources.
WorkloadSources define which workloads can attest an identity within a pool.
When a WorkloadSource is defined for a namespace, matching workloads may
receive any identity within that namespace.
"""

148
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/workload_sources/create.py Normal file
View File

@@ -0,0 +1,148 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to create a workload source for a workload identity pool namespace."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.iam.workload_identity_pools import workload_sources
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions as gcloud_exceptions
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam.workload_identity_pools import flags
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
class CreateGcp(base.CreateCommand):
"""Create a workload source for a workload identity pool namespace."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command creates a workload source for the specified
workload identity pool namespace that authorizes any Compute Engine
instance in the Google Cloud project `123` based on their attached
service account.
$ {command} project-123 --location="global" \\
--workload-identity-pool="my-workload-identity-pool" \\
--namespace="my-namespace" \\
--single-attribute-selectors="compute.googleapis.com/Instance.attached_service_account.email='foo@bar.iam.gserviceaccount.com'"
--allow-identity-self-selection
""",
}
@staticmethod
def Args(parser):
workload_source_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_namespace_workload_source'
)
# b/295594640: The help text for this command should include what the ID
# represents and format constraints enforced. Figure out if it's possible
# to add that information to this parser.
concept_parsers.ConceptParser.ForResource(
'workload_source',
concepts.ResourceSpec.FromYaml(
workload_source_data.GetData(), is_positional=True
),
'The workload source to create.',
required=True,
).AddToParser(parser)
# Flags for creating workload source
parser.add_argument(
'--single-attribute-selectors',
type=arg_parsers.ArgList(),
help=(
'Attributes that a workload must attest for it to be matched by the'
' workload source.'
),
metavar='SINGLE_ATTRIBUTE_SELECTORS',
)
parser.add_argument(
'--allow-identity-self-selection',
action='store_true',
help=(
'Allows matched workloads to request any identity within the'
' namespace.'
),
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
self.CheckArgs(args)
client, messages = util.GetClientAndMessages()
workload_source_ref = args.CONCEPTS.workload_source.Parse()
workload_source = messages.WorkloadSource()
workload_source.identityAssignments.append(
messages.IdentityAssignment(
singleAttributeSelectors=flags.ParseSingleAttributeSelectorArg(
arg_name='--single-attribute-selectors',
arg_value=args.single_attribute_selectors,
),
allowIdentitySelfSelection=args.allow_identity_self_selection,
)
)
lro_ref = client.projects_locations_workloadIdentityPools_namespaces_managedIdentities_workloadSources.Create(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesManagedIdentitiesWorkloadSourcesCreateRequest(
parent=workload_source_ref.Parent().RelativeName(),
workloadSource=workload_source,
workloadSourceId=workload_source_ref.workloadSourcesId,
)
)
log.status.Print(
'Create request issued for: [{}]'.format(
workload_source_ref.workloadSourcesId
)
)
if args.async_:
return lro_ref
# Wait for the LRO to complete.
result = workload_sources.WaitForWorkloadSourceOperation(
client=client,
lro_ref=lro_ref,
for_managed_identity=False,
)
log.status.Print(
'Created workload source [{}].'.format(
workload_source_ref.workloadSourcesId
)
)
return result
def CheckArgs(self, args):
if not args.single_attribute_selectors:
raise gcloud_exceptions.OneOfArgumentsRequiredException(
['--single-attribute-selectors'],
'Must provide at least one selector that will match workload(s) '
'from the source.',
)
if not args.allow_identity_self_selection:
raise gcloud_exceptions.OneOfArgumentsRequiredException(
['--allow-identity-self-selection'],
'Must define how workload will be assigned an identity.',
)

40
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/workload_sources/delete.yaml Normal file
View File

@@ -0,0 +1,40 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
hidden: true
help_text:
brief: Delete a workload identity pool namespace workload source.
description: Delete a workload identity pool namespace workload source.
examples: |
The following command deletes a workload identity pool namespace worklaod source in the
default project with the ID ``project-123''.
$ {command} project-123 \
--location="global" \
--workload-identity-pool="my-workload-identity-pool"
--namespace="my-namespace"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.workloadSources
async:
collection: iam.projects.locations.workloadIdentityPools.namespaces.workloadSources.operations
arguments:
resource:
help_text: |-
The workload identity pool namespace workload source to delete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace_workload_source
is_positional: true

37
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/workload_sources/describe.yaml Normal file
View File

@@ -0,0 +1,37 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
hidden: true
help_text:
brief: Describe a workload identity pool namespace workload source.
description: Describe a workload identity pool namespace workload source.
examples: |
The following command describes a workload identity pool namespace workload source in the
default project with the ID ``project-123''.
$ {command} project-123 \
--location="global" \
--workload-identity-pool="my-workload-identity-pool"
--namespace="my-namespace"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.workloadSources
arguments:
resource:
help_text: |-
The workload identity pool namespace workload source to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace_workload_source
is_positional: true

35
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/workload_sources/list.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
hidden: true
help_text:
brief: List workload identity pool namespace workload sources.
description: List workload identity pool namespace workload sources.
examples: |
The following command lists all workload sources in the workload identity pool namespace:
$ {command} \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.workloadSources
arguments:
resource:
help_text: The parent workload identity pool namespace to list workload sources for.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace
is_positional: false

31
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/workload_sources/operations/__init__.py Normal file
View File

@@ -0,0 +1,31 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools namespaces workload-sources operations group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.Hidden
@base.ReleaseTracks(base.ReleaseTrack.GA)
class WorkloadSourceOperations(base.Group):
"""Manage IAM workload identity pool namespace workload source long running operations.
Commands for managing IAM workload identity pool namespace workload source
long running operations.
"""

38
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/workload_sources/operations/describe.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
hidden: true
help_text:
brief: Describe a workload identity pool namespace workload source operation.
description: Describe a workload identity pool namespace workload source operation.
examples: |
The following command describes the long-running workload identity pool namespace workload
source operation with the ID `my-operation`:
$ {command} my-operation \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--managed-identity="my-managed-identity" \
--workload-source="project-123" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.namespaces.workloadSources.operations
arguments:
resource:
help_text: Workload identity pool namespace workload source long-running operation to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_namespace_workload_source_operation
is_positional: true

217
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/namespaces/workload_sources/update.py Normal file
View File

@@ -0,0 +1,217 @@
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to update a workload source under a workload identity pool managed identity."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import operator
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.iam.workload_identity_pools import workload_sources
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions as gcloud_exceptions
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam.workload_identity_pools import flags
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
class Update(base.UpdateCommand):
"""Update a workload source for a workload identity pool namespace."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command matches Compute Engine instances within the
Google Cloud project 123 based on their attached service account.
$ {command} project-123 --location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--single-attribute-selectors="compute.googleapis.com/Instance.attached_service_account.email='foo@bar.iam.gserviceaccount.com'"
--allow-identity-self-selection
The following command stops matching Compute Engine instances within
the Google Cloud project 123 based on their attached service account.
$ {command} project-123 --location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--namespace="my-namespace" \
--single-attribute-selectors="compute.googleapis.com/Instance.attached_service_account.email='foo@bar.iam.gserviceaccount.com'"
--no-allow-identity-self-selection
""",
}
@staticmethod
def Args(parser):
workload_source_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool_namespace_workload_source'
)
concept_parsers.ConceptParser.ForResource(
'workload_source',
concepts.ResourceSpec.FromYaml(
workload_source_data.GetData(), is_positional=True
),
'The workload source to update.',
required=True,
).AddToParser(parser)
# Flags for updating workload source
parser.add_argument(
'--single-attribute-selectors',
type=arg_parsers.ArgList(),
help=(
'An attribute that a workload can attest for it to be allow to '
'receive a managed identity.'
),
metavar='SINGLE_ATTRIBUTE_SELECTORS',
)
parser.add_argument(
'--allow-identity-self-selection',
action=arg_parsers.StoreTrueFalseAction,
help=(
'Allows matched workloads to request any identity within the'
' namespace.'
),
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
self.CheckArgs(args)
client, messages = util.GetClientAndMessages()
workload_source_ref = args.CONCEPTS.workload_source.Parse()
# Read current workload source from storage
workload_source = client.projects_locations_workloadIdentityPools_namespaces_workloadSources.Get(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesGetRequest(
name=workload_source_ref.RelativeName()
)
)
# Reconcile the list of adds and deletes
reconciled_identity_assignment_list = self.ReconcileIdentityAssignments(
args, workload_source.identityAssignments
)
workload_source.identityAssignments.clear()
workload_source.identityAssignments.extend(
reconciled_identity_assignment_list
)
# Write back the updated workload source
lro_ref = client.projects_locations_workloadIdentityPools_namespaces_workloadSources.Patch(
messages.IamProjectsLocationsWorkloadIdentityPoolsNamespacesWorkloadSourcesPatchRequest(
name=workload_source.name,
workloadSource=workload_source,
updateMask='identity_assignments',
)
)
log.status.Print(
'Update request issued for: [{}]'.format(
workload_source_ref.workloadSourcesId
)
)
if args.async_:
return lro_ref
# Wait for the LRO to complete.
result = workload_sources.WaitForWorkloadSourceOperation(
client=client,
lro_ref=lro_ref,
)
log.status.Print(
'Updated workload source [{}].'.format(
workload_source_ref.workloadSourcesId
)
)
return result
def CheckArgs(self, args):
if not args.single_attribute_selectors:
raise gcloud_exceptions.OneOfArgumentsRequiredException(
['--single-attribute-selectors'],
'Must provide at least one selector that will match workload(s)'
' from the source.',
)
if args.allow_identity_self_selection is None:
raise gcloud_exceptions.OneOfArgumentsRequiredException(
['--[no-]allow-identity-self-selection'],
'Must add or remove at least one identity assignment.',
)
def ReconcileIdentityAssignments(self, args, original_identity_assignments):
"""Reconciles the identity assignment changes with the original list."""
_, messages = util.GetClientAndMessages()
updated_selectors = set()
# Add all existing selectors
for identity_assignment in original_identity_assignments:
updated_selectors.update(
map(
self.ToHashableSelector,
identity_assignment.singleAttributeSelectors,
)
)
if args.allow_identity_self_selection is not None:
hashable_selectors = set(
map(
self.ToHashableSelector,
flags.ParseSingleAttributeSelectorArg(
'--single-attribute-selectors',
args.single_attribute_selectors,
),
)
)
# Add single attribute selectors
if args.allow_identity_self_selection:
updated_selectors |= hashable_selectors
# Remove single attribute selectors
else:
updated_selectors -= hashable_selectors
if updated_selectors == set():
return []
# Convert to proto and return
identity_assignment_proto = messages.IdentityAssignment()
identity_assignment_proto.singleAttributeSelectors.extend(
sorted(
list(map(self.ToProtoSelector, updated_selectors)),
# Sort results to guarantee stable results across platforms and
# versions
key=operator.attrgetter('attribute', 'value'),
)
)
# The only values left in updated_selectors are ones where
# allow_identity_self_selection is true.
identity_assignment_proto.allowIdentitySelfSelection = True
return [identity_assignment_proto]
def ToHashableSelector(self, proto_selector):
"""Converts the given SingleAttributeSelector proto into a hashable type."""
return tuple([proto_selector.attribute, proto_selector.value])
def ToProtoSelector(self, hashable_selector):
"""Converts the given hashable SingleAttributeSelector into a proto."""
_, messages = util.GetClientAndMessages()
return messages.SingleAttributeSelector(
attribute=hashable_selector[0],
value=hashable_selector[1],
)

30
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/operations/__init__.py Normal file
View File

@@ -0,0 +1,30 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools operations command group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class WorkloadPoolOperations(base.Group):
"""Manage IAM workload identity pool long running operations.
Commands for managing IAM workload identity pool long running operations.
"""

38
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/operations/describe.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Describe a workload identity pool operation.
description: Describe a workload identity pool operation.
examples: |
The following command describes the long running workload identity poolProvider operation with
the ID ``my-operation'':
$ {command} my-operation \
--workload-identity-pool="my-workload-identity-pool" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.operations
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: The workload identity pool long running operation to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_operation
is_positional: true

30
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/__init__.py Normal file
View File

@@ -0,0 +1,30 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools providers command group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class WorkloadPoolProviders(base.Group):
"""Manage IAM workload identity pool providers.
Commands for managing IAM workload identity pool providers.
"""

57
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/create_aws.yaml Normal file
View File

@@ -0,0 +1,57 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
command_type: CREATE
help_text:
brief: Create a new AWS workload identity pool provider.
description: Create a new AWS workload identity pool provider.
examples: |
The following command creates a disabled AWS workload identity pool provider in the default
project with the ID ``my-workload-identity-pool''. Explicit values for all required and optional
parameters are provided.
$ {command} my-workload-identity-pool-provider \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--display-name="My workload pool provider" \
--description="My workload pool provider description" \
--disabled \
--attribute-mapping="google.subject=assertion.arn" \
--attribute-condition="true" \
--account-id=1234567890
request:
collection: iam.projects.locations.workloadIdentityPools.providers
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: |-
The workload identity pool provider to create.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.disabled
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_condition
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_mapping
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.aws_account_id
required: true

62
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/create_oidc.yaml Normal file
View File

@@ -0,0 +1,62 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
command_type: CREATE
help_text:
brief: Create a new OIDC workload identity pool provider.
description: Create a new OIDC workload identity pool provider.
examples: |
The following command creates a disabled OIDC workload identity pool provider in the default
project with the ID ``my-workload-identity-pool''. Explicit values for all required and optional
parameters are provided.
$ {command} my-workload-identity-pool-provider \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--display-name="My workload pool provider" \
--description="My workload pool provider description" \
--disabled \
--attribute-mapping="google.subject=assertion.sub" \
--attribute-condition="true" \
--issuer-uri="https://test-idp.com" \
--allowed-audiences=https://test-audience-1.com,https://test-audience-2.com
--jwk-json-path="path/to/jwk.json"
request:
collection: iam.projects.locations.workloadIdentityPools.providers
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: |-
The workload identity pool provider to create.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.disabled
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_condition
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_mapping
required: true
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.oidc_issuer_uri
required: true
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.oidc_allowed_audiences
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.oidc_jwks_json_path

54
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/create_saml.yaml Normal file
View File

@@ -0,0 +1,54 @@
# Copyright 2021 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
command_type: CREATE
help_text:
brief: Create a new SAML workload identity pool provider.
description: Create a new SAML workload identity pool provider.
examples: |
The following command creates a disabled SAML workload identity pool provider in the default
project with the ID ``my-workload-identity-pool-provider''. Explicit values for all required
and optional parameters are provided.
$ {command} my-workload-identity-pool-provider \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--display-name="My workload pool provider" \
--description="My workload pool provider description" \
--disabled \
--attribute-mapping="google.subject=assertion.sub" \
--attribute-condition="true" \
--idp-metadata-path="path/to/metadata/file.xml"
request:
collection: iam.projects.locations.workloadIdentityPools.providers
arguments:
resource:
help_text: |-
The workload identity pool provider to create.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.disabled
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_condition
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_mapping
required: true
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.saml_idp_metadata_path
required: true

52
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/create_x509.yaml Normal file
View File

@@ -0,0 +1,52 @@
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
command_type: CREATE
help_text:
brief: Create a new X.509 workload identity pool provider.
description: Create a new X.509 workload identity pool provider.
examples: |
The following command creates a disabled X.509 workload identity pool provider in the default
project with the ID ``my-workload-identity-pool-provider''. Explicit values for all required
and optional parameters are provided.
$ {command} my-workload-identity-pool-provider \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--display-name="My workload pool provider" \
--description="My workload pool provider description" \
--disabled \
--attribute-mapping="google.subject=assertion.sub" \
--attribute-condition="true" \
--trust-store-config-path="path/to/config/file.yaml"
request:
collection: iam.projects.locations.workloadIdentityPools.providers
arguments:
resource:
help_text: |-
The workload identity pool provider to create.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.disabled
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_condition
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_mapping
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.trust_store_config_path
required: true

38
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/delete.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Delete a workload identity pool provider.
description: Delete a workload identity pool provider.
examples: |
The following command deletes the workload identity pool provider with the ID
``my-workload-identity-pool-provider'':
$ {command} my-workload-identity-pool-provider \
--workload-identity-pool="my-workload-identity-pool" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.providers
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: The workload identity pool provider to delete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true

38
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/describe.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Describe a workload identity pool provider.
description: Describe a workload identity pool provider.
examples: |
The following command describes the workload identity pool provider with the ID
``my-workload-identity-pool-provider'':
$ {command} my-workload-identity-pool-provider \
--workload-identity-pool="my-workload-identity-pool" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.providers
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: The workload identity pool provider to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true

29
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/keys/__init__.py Normal file
View File

@@ -0,0 +1,29 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools provider keys command group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.GA)
class WorkloadPoolProviderKeys(base.Group):
"""Manage IAM workload identity pool provider keys.
Commands for managing IAM workload identity pool provider keys.
"""

48
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/keys/create.yaml Normal file
View File

@@ -0,0 +1,48 @@
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Create a new workload identity pool provider key.
description: Create a new workload identity pool provider key.
examples: |
The following command creates a workload identity pool provider key in the default
project with the ID ``my-key''. Explicit values for all required and optional parameters are
provided.
$ {command} my-key \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--provider="my-provider"
--use="ENCRYPTION"
--spec="RSA_4096"
request:
collection: iam.projects.locations.workloadIdentityPools.providers.keys
async:
collection: iam.projects.locations.workloadIdentityPools.providers.keys.operations
arguments:
resource:
help_text: |-
The workload identity pool provider key to create.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider_key
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider_key.use
required: true
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider_key.spec
required: true

39
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/keys/delete.yaml Normal file
View File

@@ -0,0 +1,39 @@
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Delete a workload identity pool provider key.
description: Delete a workload identity pool provider key.
examples: |
The following command deletes a workload identity pool provider key in the default
project with the ID ``my-key''.
$ {command} my-key \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--provider="my-provider"
request:
collection: iam.projects.locations.workloadIdentityPools.providers.keys
async:
collection: iam.projects.locations.workloadIdentityPools.providers.keys.operations
arguments:
resource:
help_text: |-
The workload identity pool provider key to delete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider_key
is_positional: true

36
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/keys/describe.yaml Normal file
View File

@@ -0,0 +1,36 @@
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Describe a workload identity pool provider key.
description: Describe a workload identity pool provider key.
examples: |
The following command describes a workload identity pool provider key in the default
project with the ID ``my-key''.
$ {command} my-key \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--provider="my-provider"
request:
collection: iam.projects.locations.workloadIdentityPools.providers.keys
arguments:
resource:
help_text: |-
The workload identity pool provider key to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider_key
is_positional: true

42
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/keys/list.yaml Normal file
View File

@@ -0,0 +1,42 @@
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: List workload identity pool provider keys.
description: List workload identity pool provider keys.
examples: |
The following command lists all keys in the workload identity pool provider, including
soft-deleted keys:
$ {command} \
--workload-identity-pool="my-workload-identity-pool" \
--provider="my-provider" \
--location="global" \
--show-deleted
request:
collection: iam.projects.locations.workloadIdentityPools.providers.keys
arguments:
resource:
help_text: The parent workload identity pool provider to list keys for.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: false
params:
- api_field: showDeleted
arg_name: show-deleted
required: false
help_text: Whether to return soft-deleted resources.

30
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/keys/operations/__init__.py Normal file
View File

@@ -0,0 +1,30 @@
# -*- coding: utf-8 -*- #
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools provider key operations command group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.GA)
class WorkloadPoolProviderKeyOperations(base.Group):
"""Manage IAM workload identity pool provider key long running operations.
Commands for managing IAM workload identity pool provider key long running
operations.
"""

31
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/keys/operations/describe.yaml Normal file
View File

@@ -0,0 +1,31 @@
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Describe a workload identity pool provider key operation.
description: Describe a workload identity pool provider key operation.
examples: |
To describe the long-running workload identity pool provider key operation with the ID ``my-operation'', run:
$ {command} my-operation --workload-identity-pool="my-pool" --provider="my-provider" --key="my-key" --location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.providers.keys.operations
arguments:
resource:
help_text: The workload identity pool provider key long-running operation to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider_key_operation
is_positional: true

40
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/keys/undelete.yaml Normal file
View File

@@ -0,0 +1,40 @@
# Copyright 2022 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Undelete a workload identity pool provider key.
description: Undelete a workload identity pool provider key.
examples: |
The following command undeletes a workload identity pool provider key in the default
project with the ID ``my-key''.
$ {command} my-key \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--provider="my-provider"
request:
collection: iam.projects.locations.workloadIdentityPools.providers.keys
method: undelete
async:
collection: iam.projects.locations.workloadIdentityPools.providers.keys.operations
arguments:
resource:
help_text: |-
The workload identity pool provider key to undelete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider_key
is_positional: true

45
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/list.yaml Normal file
View File

@@ -0,0 +1,45 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: List workload identity pool providers.
description: List workload identity pool providers.
examples: |
The following command lists all workload identity pool providers in the workload identity
pool, including soft-deleted providers:
$ {command} \
--workload-identity-pool="my-workload-identity-pool" \
--location="global" \
--show-deleted
request:
collection: iam.projects.locations.workloadIdentityPools.providers
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: The location to list workload identity pool providers for.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: false
params:
- api_field: showDeleted
arg_name: show-deleted
required: false
help_text: Whether to return soft-deleted resources.

31
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/operations/__init__.py Normal file
View File

@@ -0,0 +1,31 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The workload-identity-pools providers operations group for the IAM CLI."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA,
base.ReleaseTrack.GA)
class WorkloadPoolProviderOperations(base.Group):
"""Manage IAM workload identity pool provider long running operations.
Commands for managing IAM workload identity pool provider long running
operations.
"""

39
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/operations/describe.yaml Normal file
View File

@@ -0,0 +1,39 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Describe a workload identity pool provider operation.
description: Describe a workload identity pool provider operation.
examples: |
The following command describes the long running workload identity pool provider operation with
the ID ``my-operation'':
$ {command} my-operation \
--workload-identity-pool="my-workload-identity-pool" \
--provider="my-provider" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.providers.operations
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: The workload identity pool provider long running operation to describe.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider_operation
is_positional: true

39
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/undelete.yaml Normal file
View File

@@ -0,0 +1,39 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Undelete a workload identity pool provider.
description: Undelete a workload identity pool provider.
examples: |
The following command undeletes the workload identity pool provider with the ID
``my-workload-identity-pool-provider'':
$ {command} my-workload-identity-pool-provider \
--workload-identity-pool="my-workload-identity-pool" \
--location="global"
request:
collection: iam.projects.locations.workloadIdentityPools.providers
method: undelete
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: The workload identity pool provider to undelete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true

55
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/update_aws.yaml Normal file
View File

@@ -0,0 +1,55 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
command_type: UPDATE
help_text:
brief: Update an AWS workload identity pool provider.
description: Update an AWS workload identity pool provider.
examples: |
The following command updates an AWS workload identity pool provider with the ID
``my-workload-identity-pool-provider''. Explicit values for all required and optional
parameters are provided.
$ {command} --location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--display-name="My workload pool provider" \
--description="My workload pool provider description" \
--disabled \
--attribute-mapping="google.subject=assertion.arn" \
--attribute-condition="true" \
--account-id=1234567890
request:
collection: iam.projects.locations.workloadIdentityPools.providers
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: |-
The workload identity pool provider to update.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.disabled
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_condition
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_mapping
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.aws_account_id

60
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/update_oidc.yaml Normal file
View File

@@ -0,0 +1,60 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
command_type: UPDATE
help_text:
brief: Update an OIDC workload identity pool provider.
description: Update an OIDC workload identity pool provider.
examples: |
The following command updates the OIDC workload identity pool provider with the ID
``my-workload-identity-pool-provider''. Explicit values for all required and optional
parameters are provided:
$ {command} my-workload-identity-pool-provider \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--display-name="My workload pool provider" \
--description="My workload pool provider description" \
--disabled \
--attribute-mapping="google.subject=assertion.sub" \
--attribute-condition="true" \
--issuer-uri="https://test-idp.com"
--allowed-audiences=https://test-audience-1.com,https://test-audience-2.com
--jwk-json-path="path/to/jwk.json"
request:
collection: iam.projects.locations.workloadIdentityPools.providers
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: |-
The workload identity pool provider to update.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.disabled
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_condition
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_mapping
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.oidc_issuer_uri
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.oidc_allowed_audiences
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.oidc_jwks_json_path

52
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/update_saml.yaml Normal file
View File

@@ -0,0 +1,52 @@
# Copyright 2021 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
command_type: UPDATE
help_text:
brief: Update a SAML workload identity pool provider.
description: Update a SAML workload identity pool provider.
examples: |
The following command updates the SAML workload identity pool provider with the ID
``my-workload-identity-pool-provider''. Explicit values for all required and optional
parameters are provided:
$ {command} my-workload-identity-pool-provider \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--display-name="My workload pool provider" \
--description="My workload pool provider description" \
--disabled \
--attribute-mapping="google.subject=assertion.sub" \
--attribute-condition="true" \
--idp-metadata-path="path/to/metadata/file.xml"
request:
collection: iam.projects.locations.workloadIdentityPools.providers
arguments:
resource:
help_text: |-
The workload identity pool provider to update.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.disabled
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_condition
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_mapping
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.saml_idp_metadata_path

51
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/providers/update_x509.yaml Normal file
View File

@@ -0,0 +1,51 @@
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
command_type: UPDATE
help_text:
brief: Update an X.509 workload identity pool provider.
description: Update an X.509 workload identity pool provider.
examples: |
The following command updates the X.509 workload identity pool provider with the ID
``my-workload-identity-pool-provider''. Explicit values for all required and optional
parameters are provided:
$ {command} my-workload-identity-pool-provider \
--location="global" \
--workload-identity-pool="my-workload-identity-pool" \
--display-name="My workload pool provider" \
--description="My workload pool provider description" \
--disabled \
--attribute-mapping="google.subject=assertion.sub" \
--attribute-condition="true" \
--trust-store-config-path="path/to/config/file.yaml"
request:
collection: iam.projects.locations.workloadIdentityPools.providers
arguments:
resource:
help_text: |-
The workload identity pool provider to update.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool_provider
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.disabled
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_condition
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.attribute_mapping
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool_provider.trust_store_config_path

120
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/remove_attestation_rule.py Normal file
View File

@@ -0,0 +1,120 @@
# -*- coding: utf-8 -*- #
# Copyright 2025 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to remove an attestation rule on a workload identity pool."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.util import waiter
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam import identity_pool_waiter
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
from googlecloudsdk.core import resources as sdkresources
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.GA)
@base.Hidden
class RemoveAttestationRule(base.Command):
"""Remove an attestation rule on a workload identity pool."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command removes an attestation rule with a Google Cloud
resource on a workload identity pool `my-pool`.
$ {command} my-pool \
--location="global" \
--google-cloud-resource="//run.googleapis.com/projects/123/type/Service/*"
""",
}
@staticmethod
def Args(parser):
workload_pool_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool'
)
concept_parsers.ConceptParser.ForResource(
'workload_identity_pool',
concepts.ResourceSpec.FromYaml(
workload_pool_data.GetData(), is_positional=True
),
'The workload identity pool to remove the attestation rule on.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--google-cloud-resource',
help="""A single workload operating on Google Cloud. This will be set
in the attestation rule to be added.""",
required=True,
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
workload_pool_ref = args.CONCEPTS.workload_identity_pool.Parse()
remove_attestation_rule_request = messages.RemoveAttestationRuleRequest(
attestationRule=messages.AttestationRule(
googleCloudResource=args.google_cloud_resource,
)
)
lro_ref = client.projects_locations_workloadIdentityPools.RemoveAttestationRule(
messages.IamProjectsLocationsWorkloadIdentityPoolsRemoveAttestationRuleRequest(
resource=workload_pool_ref.RelativeName(),
removeAttestationRuleRequest=remove_attestation_rule_request,
)
)
log.status.Print(
'Remove attestation rule request issued for: [{}]'.format(
workload_pool_ref.workloadIdentityPoolsId
)
)
if args.async_:
return lro_ref
result = waiter.WaitFor(
poller=identity_pool_waiter.IdentityPoolOperationPollerNoResources(
client.projects_locations_workloadIdentityPools,
client.projects_locations_workloadIdentityPools_operations,
),
operation_ref=sdkresources.REGISTRY.ParseRelativeName(
lro_ref.name,
collection=(
'iam.projects.locations.workloadIdentityPools.operations'
),
),
message='Waiting for operation [{}] to complete'.format(lro_ref.name),
# Wait for a maximum of 5 minutes, as the IAM replication has a lag of
# up to 80 seconds.
max_wait_ms=300000,
)
log.status.Print(
'Removed attestation rule for [{}].'.format(
workload_pool_ref.workloadIdentityPoolsId
)
)
return result

53
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/remove_iam_policy_binding.yaml Normal file
View File

@@ -0,0 +1,53 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
release_tracks: [GA]
help_text:
brief: Remove IAM policy binding from a workload identity pool.
description: |
Removes a policy binding from the IAM policy of a workload identity pool. A binding consists of at
least one member, a role, and an optional condition.
examples: |
To remove an IAM policy binding for the role of `roles/iam.workloadIdentityPoolViewer` for the user `test-user@gmail.com`
on a workload identity pool with identifier `my-workload-identity-pool`, run:
$ {command} my-workload-identity-pool --location="global" --member='user:test-user@gmail.com' --role='roles/iam.workloadIdentityPoolViewer'
To remove an IAM policy binding for the role of `roles/iam.workloadIdentityPoolViewer` from all
authenticated users on workload identity pool with identifier `my-workload-identity-pool`, run:
$ {command} my-workload-identity-pool --location="global" --member='allAuthenticatedUsers' --role='roles/iam.workloadIdentityPoolViewer'
To remove an IAM policy binding which expires at the end of the year 2024 for the role of
`roles/iam.workloadIdentityPoolViewer` and the user `test-user@gmail.com` on a workload identity pool with identifier `my-workload-identity-pool`, run:
$ {command} my-workload-identity-pool --location="global" --member='user:test-user@gmail.com' --role='roles/iam.workloadIdentityPoolViewer' --condition='expression=request.time < timestamp("2019-01-01T00:00:00Z"),title=expires_end_of_2024,description=Expires at midnight on 2024-12-31'
See https://cloud.google.com/iam/docs/managing-policies for details on
policy role and member types.
request:
collection: iam.projects.locations.workloadIdentityPools
arguments:
resource:
help_text: The workload identity pool to remove the IAM policy binding from.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
iam:
enable_condition: true
policy_version: 3
get_iam_policy_version_path: getIamPolicyRequest.options.requestedPolicyVersion

133
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/set_attestation_rules.py Normal file
View File

@@ -0,0 +1,133 @@
# -*- coding: utf-8 -*- #
# Copyright 2025 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to set attestation rules on a workload identity pool."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from apitools.base.py import encoding
from googlecloudsdk.api_lib.iam import util
from googlecloudsdk.api_lib.util import waiter
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions as gcloud_exceptions
from googlecloudsdk.calliope.concepts import concepts
from googlecloudsdk.command_lib.iam import identity_pool_waiter
from googlecloudsdk.command_lib.util.apis import yaml_data
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.core import log
from googlecloudsdk.core import resources as sdkresources
from googlecloudsdk.core import yaml
import six
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.GA)
@base.Hidden
class SetAttestationRules(base.Command):
"""Set attestation rules on a workload identity pool."""
detailed_help = {
'DESCRIPTION': '{description}',
'EXAMPLES': """\
The following command sets attestation rules on a workload identity
pool `my-pool` using a policy file.
$ {command} my-pool \
--location="global" \
--policy-file="policy.json"
""",
}
@staticmethod
def Args(parser):
workload_pool_data = yaml_data.ResourceYAMLData.FromPath(
'iam.workload_identity_pool'
)
concept_parsers.ConceptParser.ForResource(
'workload_identity_pool',
concepts.ResourceSpec.FromYaml(
workload_pool_data.GetData(), is_positional=True
),
'The workload identity pool to set attestation rules on.',
required=True,
).AddToParser(parser)
parser.add_argument(
'--policy-file',
help="""\
Path to a local JSON-formatted or YAML-formatted file containing an
attestation policy, structured as a [list of attestation rules](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.namespaces.managedIdentities/setAttestationRules#request-body).
""",
required=True,
)
base.ASYNC_FLAG.AddToParser(parser)
def Run(self, args):
client, messages = util.GetClientAndMessages()
workload_pool_ref = args.CONCEPTS.workload_identity_pool.Parse()
policy_to_parse = yaml.load_path(args.policy_file)
try:
set_attestation_rules_request = encoding.PyValueToMessage(
messages.SetAttestationRulesRequest, policy_to_parse
)
except AttributeError as e:
# Raised when the input file is not properly formatted YAML policy file.
raise gcloud_exceptions.BadFileException(
'Policy file [{0}] is not a properly formatted YAML or JSON '
'policy file. {1}'.format(args.policy_file, six.text_type(e))
)
lro_ref = client.projects_locations_workloadIdentityPools.SetAttestationRules(
messages.IamProjectsLocationsWorkloadIdentityPoolsSetAttestationRulesRequest(
resource=workload_pool_ref.RelativeName(),
setAttestationRulesRequest=set_attestation_rules_request,
)
)
log.status.Print(
'Set attestation rules request issued for: [{}]'.format(
workload_pool_ref.workloadIdentityPoolsId
)
)
if args.async_:
return lro_ref
result = waiter.WaitFor(
poller=identity_pool_waiter.IdentityPoolOperationPollerNoResources(
client.projects_locations_workloadIdentityPools,
client.projects_locations_workloadIdentityPools_operations,
),
operation_ref=sdkresources.REGISTRY.ParseRelativeName(
lro_ref.name,
collection=(
'iam.projects.locations.workloadIdentityPools.operations'
),
),
message='Waiting for operation [{}] to complete'.format(lro_ref.name),
# Wait for a maximum of 5 minutes, as the IAM replication has a lag of
# up to 80 seconds.
max_wait_ms=300000,
)
log.status.Print(
'Set attestation rules for [{}].'.format(
workload_pool_ref.workloadIdentityPoolsId
)
)
return result

35
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/set_iam_policy.yaml Normal file
View File

@@ -0,0 +1,35 @@
# -*- coding: utf-8 -*- #
# Copyright 2024 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
release_tracks: [GA]
help_text:
brief: Set the IAM policy for a workload identity pool.
description: Replaces the existing IAM policy for a workload identity pool given a workload identity pool ID
and a file encoded in JSON or YAML that contains the IAM policy.
examples: |
The following command reads an IAM policy defined in a JSON file `policy.json` and sets it
for the workload identity pool with ID `my-workload-identity-pool`:
$ {command} my-workload-identity-pool policy.json --location="global"
request:
collection: iam.projects.locations.workloadIdentityPools
arguments:
resource:
help_text: The workload identity pool for which you want to set IAM policy for.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: true

37
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/undelete.yaml Normal file
View File

@@ -0,0 +1,37 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [ALPHA, BETA, GA]
help_text:
brief: Undelete a workload identity pool.
description: Undelete a workload identity pool.
examples: |
The following command undeletes the workload identity pool with the ID
``my-workload-identity-pool'':
$ {command} my-workload-identity-pool --location="global"
request:
collection: iam.projects.locations.workloadIdentityPools
method: undelete
ALPHA:
api_version: v1beta
BETA:
api_version: v1beta
arguments:
resource:
help_text: The workload identity pool to undelete.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: true

94
gcloud auth application-default login/google-cloud-sdk/lib/surface/iam/workload_identity_pools/update.yaml Normal file
View File

@@ -0,0 +1,94 @@
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- release_tracks: [GA]
help_text:
brief: Update a workload identity pool.
description: Update a workload identity pool.
examples: |
The following command updates the workload identity pool with the ID
``my-workload-identity-pool'':
$ {command} my-workload-identity-pool \
--location="global"
--display-name="My workload pool" \
--description="My workload pool description" \
--disabled
request:
collection: iam.projects.locations.workloadIdentityPools
method: patch
arguments:
resource:
help_text: The workload identity pool to update.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.disabled
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.session_duration
hidden: true
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.enable_mesh_ca_compatibility
hidden: true
- group:
mutex: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.inline_certificate_issuance_config_file
- group:
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.key_algorithm
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.certificate_lifetime
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.rotation_window_percentage
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.use_default_shared_ca
hidden: true
- group:
mutex: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.inline_trust_config_file
# ALPHA and BETA release track should not be updated going forward. All preview features should be
# added to the GA release track and marked as hidden.
- release_tracks: [ALPHA, BETA]
help_text:
brief: Update a workload identity pool.
description: Update a workload identity pool.
examples: |
The following command updates the workload identity pool with the ID
``my-workload-identity-pool'':
$ {command} my-workload-identity-pool \
--location="global"
--display-name="My workload pool" \
--description="My workload pool description" \
--disabled
request:
collection: iam.projects.locations.workloadIdentityPools
method: patch
api_version: v1beta
arguments:
resource:
help_text: The workload identity pool to update.
spec: !REF googlecloudsdk.command_lib.iam.resources:workload_identity_pool
is_positional: true
params:
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.display_name
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.description
- _REF_: googlecloudsdk.command_lib.iam.flags:workload_identity_pool.disabled