我编写此类是为了在我的 Google Cloud 项目中添加/更新角色和成员。
class PolicyManager:
"""Policy manager to manage roles in Google Cloud"""
def __init__(self, project_id: str):
self.project_id = project_id
credentials, _ = google.auth.default(
scopes=["https://www.googleapis.com/auth/cloud-platform"]
)
self.crm_service = googleapiclient.discovery.build(
"cloudresourcemanager", "v1", credentials=credentials
)
def get_policy(self, version: int = 1) -> dict:
"""Gets IAM policy for a project."""
policy = (
self.crm_service.projects()
.getIamPolicy(
resource=self.project_id,
body={"options": {"requestedPolicyVersion": version}},
)
.execute()
)
return policy
def set_policy(self, policy: dict) -> dict:
"""Sets IAM policy for a project."""
policy = (
self.crm_service.projects()
.setIamPolicy(resource=self.project_id, body={"policy": policy})
.execute()
)
return policy
def modify_policy_add_role(self, role: str, member: str) -> dict:
"""Adds a new role binding to a policy."""
policy = self.get_policy()
binding = None
for b in policy["bindings"]:
if b["role"] == role:
binding = b
break
if binding is not None:
binding["members"].append(member)
else:
policy["version"] = 1
binding = {
"role": role,
"members": [member],
}
policy["bindings"].append(binding)
return self.set_policy(policy)
这是我正在关注的文档之一。
但是通过尝试这个:
policy_manager = PolicyManager(get_project_id())
policy_manager.modify_policy_add_role(
role="roles/bigquery.jobUser", member=service_account_name
)
我在
self.crm_service.projects()
方法中的 set_policy
上收到此错误:
googleapiclient.errors.HttpError:
https://cloudresourcemanager.googleapis.com/v1/projects/dayrize-test:setIamPolicy?alt=json 返回“策略成员必须采用“:”形式。”。 详细信息:“[{'@type': 'type.googleapis.com/google.rpc.BadRequest', 'fieldViolations': [{'field': 'policy.bindings.member', '描述': “策略成员必须以‘:’形式作为前缀,其中 是“域”、“组”、“serviceAccount”或“用户”。"}]}, {'@type': 'type.googleapis.com/google.rpc.ErrorInfo', '原因': 'PROJECT_SET_IAM_DISALLOWED_MEMBER_TYPE','域': 'cloudresourcemanager.googleapis.com'},{'@type': 'type.googleapis.com/google.rpc.ResourceInfo','资源名称': '项目/我的项目'}]">
通过调试我可以看到,在运行
get_policy
时,members
属性是角色绑定的成员列表。那么,如果我首先通过 Google 本身获得一个简单的列表,为什么我会收到此错误?