I want to give below IAM permission for the user.
Permission:
BigQuery Job User
Browser
I know How I can set through windows UI but I want to set this IAM permission through a python script?
Asked
Active
Viewed 397 times
1 Answers
1
Yes, it is possible to do so by using the Client Libraries.
You can check some examples in the following documentation.
I made a quick script that does what you are requesting:
from google.oauth2 import service_account
import googleapiclient.discovery
credentials = service_account.Credentials.from_service_account_file(
filename='PATH/TO/KEY.json',
scopes=['https://www.googleapis.com/auth/cloud-platform'])
service = googleapiclient.discovery.build(
'cloudresourcemanager', 'v1', credentials=credentials)
def modify_policy_add_member(policy, role, member):
binding = next(b for b in policy['bindings'] if b['role'] == role)
binding['members'].append(member)
print(binding)
return policy
def create_role_add_member(policy, role, member):
"""Adds a new member to a role binding."""
binding = {
'role': role,
'members': [member]
}
print(binding)
policy['bindings'].append(binding)
return policy
if __name__ == "__main__":
project_id="YOUR_PROJECT_ID"
policy=service.projects().getIamPolicy(
resource=project_id,
body={},
).execute()
role="roles/bigquery.dataViewer" #example role to grant user
member="user:MEMBER_TO_ADD"
roles = [b['role'] for b in policy['bindings']]
if role in roles:
new_policy = modify_policy_add_member(policy, role, member)
else:
new_policy = create_role_add_member(policy, role, member)
print(new_policy)
policy = service.projects().setIamPolicy(
resource=project_id,
body={
'policy': new_policy,
}).execute()
Breaking it down by parts, the script does the following:
1- Authenticate to the API by using a Service Account key file, with https://www.googleapis.com/auth/cloud-platform scopes. I used a service account key file with project/owner permissions, in this example.
from google.oauth2 import service_account
import googleapiclient.discovery
credentials = service_account.Credentials.from_service_account_file(
filename='PATH/TO/KEY.json',
scopes=['https://www.googleapis.com/auth/cloud-platform'])
service = googleapiclient.discovery.build(
'cloudresourcemanager', 'v1', credentials=credentials)
2- Get the current policy of the project:
policy=service.projects().getIamPolicy(
resource=project_id,
body={},
).execute()
3- Set the role to grant, which in BigQuery you can see in this list. As well, set the member to add, in the format user:<USER_ADDRESS>, you need to keep the string user: before the account to add, unless you are adding a service account, then you must change user: to serviceaccount:.
4- Check if the role already exists, if it does, just append the member to the existing role:
def modify_policy_add_member(policy, role, member):
binding = next(b for b in policy['bindings'] if b['role'] == role)
binding['members'].append(member)
print(binding)
return policy
Otherwise, create the role and append it to the policy bindings:
def create_role_add_member(policy, role, member):
"""Adds a new member to a role binding."""
binding = {
'role': role,
'members': [member]
}
print(binding)
policy['bindings'].append(binding)
return policy
5- Update the policy in your project, by sending the updated policy:
policy = service.projects().setIamPolicy(
resource=project_id,
body={
'policy': new_policy,
}).execute()
Note that to use this APIs in Python, you will need to install the following modules:
google-api-python-client==1.7.4
google-auth==1.5.1
google-auth-httplib2==0.0.3
Joan Grau Noël
- 2,766
- 7
- 18