1# -*- coding: utf-8 -*- # 2# Copyright 2019 Google LLC. All Rights Reserved. 3# 4# Licensed under the Apache License, Version 2.0 (the "License"); 5# you may not use this file except in compliance with the License. 6# You may obtain a copy of the License at 7# 8# http://www.apache.org/licenses/LICENSE-2.0 9# 10# Unless required by applicable law or agreed to in writing, software 11# distributed under the License is distributed on an "AS IS" BASIS, 12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13# See the License for the specific language governing permissions and 14# limitations under the License. 15"""Command to export IAM policy analysis in the specified root asset.""" 16 17from __future__ import absolute_import 18from __future__ import division 19from __future__ import unicode_literals 20 21from googlecloudsdk.api_lib.asset import client_util 22from googlecloudsdk.calliope import arg_parsers 23from googlecloudsdk.calliope import base 24from googlecloudsdk.command_lib.asset import flags 25from googlecloudsdk.command_lib.asset import utils as asset_utils 26from googlecloudsdk.core import log 27 28OPERATION_DESCRIBE_COMMAND = 'gcloud asset operations describe' 29 30 31def AddDestinationArgs(parser): 32 destination_group = parser.add_group( 33 mutex=True, 34 required=True, 35 help='The destination path for exporting IAM policy analysis.') 36 AddOutputPathArgs(destination_group) 37 38 39def AddOutputPathArgs(parser): 40 parser.add_argument( 41 '--output-path', 42 metavar='OUTPUT_PATH', 43 required=True, 44 type=arg_parsers.RegexpValidator( 45 r'^gs://.*', 46 '--output-path must be a Google Cloud Storage URI starting with ' 47 '"gs://". For example, "gs://bucket_name/object_name"'), 48 help='Google Cloud Storage URI where the results will go. ' 49 'URI must start with "gs://". For example, "gs://bucket_name/object_name"' 50 ) 51 52 53@base.ReleaseTracks(base.ReleaseTrack.BETA) 54class ExportIamPolicyAnalysisBeta(base.Command): 55 """Export IAM policy analysis that match a request to Google Cloud Storage.""" 56 57 detailed_help = { 58 'DESCRIPTION': 59 """\ 60 Export IAM policy analysis that matches a request to Google Cloud Storage. 61 """, 62 'EXAMPLES': 63 """\ 64 To find out which users have been granted the 65 iam.serviceAccounts.actAs permission on a service account, run: 66 67 $ {command} --organization=YOUR_ORG_ID --full-resource-name=YOUR_SERVICE_ACCOUNT_FULL_RESOURCE_NAME --permissions='iam.serviceAccounts.actAs' --output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME' 68 69 To find out which resources a user can access, run: 70 71 $ {command} --organization=YOUR_ORG_ID --identity='user:u1@foo.com' --output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME' 72 73 To find out which roles or permissions a user has been granted on a 74 project, run: 75 76 $ {command} --organization=YOUR_ORG_ID --full-resource-name=YOUR_PROJECT_FULL_RESOURCE_NAME --identity='user:u1@foo.com' --output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME' 77 78 To find out which users have been granted the 79 iam.serviceAccounts.actAs permission on any applicable resources, run: 80 81 $ {command} --organization=YOUR_ORG_ID --permissions='iam.serviceAccounts.actAs' --output-path='gs://YOUR_BUCKET_NAME/YOUR_OBJECT_NAME' 82 83 """ 84 } 85 86 @staticmethod 87 def Args(parser): 88 flags.AddAnalyzerParentArgs(parser) 89 flags.AddAnalyzerSelectorsGroup(parser) 90 flags.AddAnalyzerOptionsGroup(parser, False) 91 AddDestinationArgs(parser) 92 93 def Run(self, args): 94 parent = asset_utils.GetParentNameForAnalyzeIamPolicy( 95 args.organization, args.project, args.folder) 96 client = client_util.IamPolicyAnalysisLongrunningClient( 97 client_util.V1P4BETA1_API_VERSION) 98 operation = client.Analyze(parent, args, client_util.V1P4BETA1_API_VERSION) 99 100 log.ExportResource(parent, is_async=True, kind='root asset') 101 log.status.Print('Use [{} {}] to check the status of the operation.'.format( 102 OPERATION_DESCRIBE_COMMAND, operation.name)) 103