Guía de inicio rápido: Usa los métodos de IAM desde la API de Resource Manager

En esta página, se muestra cómo comenzar a usar los métodos de IAM desde la API de Resource Manager en tu lenguaje de programación favorito.

Antes de comenzar

Crea un proyecto de Google Cloud

Para esta guía de inicio rápido, necesitas un proyecto nuevo de Google Cloud.

Accede a tu cuenta de Google Cloud. Si eres nuevo en Google Cloud, crea una cuenta para evaluar el rendimiento de nuestros productos en situaciones reales. Los clientes nuevos también obtienen $300 en créditos gratuitos para ejecutar, probar y, además, implementar cargas de trabajo.

En Google Cloud Console, en la página de selección de proyecto, haz clic en Crear proyecto para comenzar a crear un proyecto de Google Cloud nuevo.

Ir al selector de proyecto

Habilita la API Resource Manager.
Habilita la API

Crea una cuenta de servicio:
1. En Cloud Console, ve a la página Crear cuenta de servicio.
  Ir a Crear cuenta de servicio
2. Selecciona un proyecto
3. Ingresa un nombre en el campo Nombre de cuenta de servicio. Cloud Console completa el campo ID de cuenta de servicio con este nombre.
  
  En el campo Descripción de la cuenta de servicio, ingresa una descripción. Por ejemplo, Service account for quickstart.
4. Haga clic en Crear.
5. Haz clic en el campo Seleccionar una función.
  
  En Acceso rápido, haz clic en Básica y, luego, en Propietario.
  
  Nota: El campo Función afecta a qué recursos puede acceder tu cuenta de servicio en el proyecto. Puedes revocar estas funciones o asignar otras más adelante. En entornos de producción, no otorgues las funciones de propietario, editor o visualizador. Para obtener más información, consulta Otorga, cambia y revoca el acceso a los recursos.
6. Haga clic en Continuar.
7. Haz clic en Listo para terminar de crear la cuenta de servicio.
  
  No cierres la ventana del navegador. La usarás en la próxima tarea.
Para crear una clave de cuenta de servicio, haz lo siguiente:
1. En Cloud Console, haz clic en la dirección de correo electrónico de la cuenta de servicio que creaste.
2. Haz clic en Claves.
3. Haz clic en Agregar clave y, luego, en Crear clave nueva.
4. Haga clic en Crear. Se descargará un archivo de claves JSON a tu computadora.
5. Haga clic en Cerrar.

Configura la variable de entorno GOOGLE_APPLICATION_CREDENTIALS en la ruta del archivo JSON que contiene la clave de tu cuenta de servicio. Esta variable solo se aplica a la sesión actual de shell. Por lo tanto, si abres una sesión nueva, deberás volver a configurar la variable.
Ejemplo: Linux o macOS
```
export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
```
Reemplaza KEY_PATH por la ruta de acceso del archivo JSON que contiene la clave de tu cuenta de servicio.

Por ejemplo:
```
export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"
```
Ejemplo: Windows

Para PowerShell:
```
$env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
```
Reemplaza KEY_PATH por la ruta de acceso del archivo JSON que contiene la clave de tu cuenta de servicio.

Por ejemplo:
```
$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"
```
Para el símbolo del sistema:
```
set GOOGLE_APPLICATION_CREDENTIALS=KEY_PATH
```
Reemplaza KEY_PATH por la ruta de acceso del archivo JSON que contiene la clave de tu cuenta de servicio.

Instala la biblioteca cliente

C#

Para obtener más información sobre la configuración de tu entorno de desarrollo de C#, consulta la Guía de configuración del entorno de desarrollo de C#.

install-package Google.Apis.Iam.v1
install-package Google.Apis.CloudResourceManager.v1

Go

go get -u golang.org/x/oauth2/google
go get -u google.golang.org/api/cloudresourcemanager/v1

Java

Para obtener más información sobre la configuración de tu entorno de desarrollo de Java, consulta Guía de configuración del entorno de desarrollo de Java.

Si usas Maven, agrega lo siguiente a tu archivo pom.xml.

<dependency>
  <groupId>com.google.apis</groupId>
  <artifactId>google-api-services-cloudresourcemanager</artifactId>
  <version>v1-rev20210331-1.31.0</version><!-- v1 required here, v2 is different - DO NOT UPDATE to v2 -->
</dependency>
<dependency>
  <groupId>com.google.auth</groupId>
  <artifactId>google-auth-library-oauth2-http</artifactId>
  <version>0.25.5</version>
</dependency>
<dependency>
  <groupId>com.google.apis</groupId>
  <artifactId>google-api-services-iam</artifactId>
  <version>v1-rev20210422-1.31.0</version>
</dependency>

Python

Para obtener más información sobre la configuración de tu entorno de desarrollo de Python, consulta la Guía de configuración del entorno de desarrollo de Python.

pip install --upgrade google-api-python-client google-auth google-auth-httplib2

Lee, modifica y escribe una política de IAM

Con el fragmento de código de esta guía de inicio rápido, sucede lo siguiente:

Se inicializa el servicio de Resource Manager, que administra proyectos de Google Cloud.
Se lee la política de IAM de tu proyecto.
Se modifica la política de IAM mediante el otorgamiento de la función de escritor de registros (roles/logging.logWriter) a tu Cuenta de Google.
Se escribe la política de IAM actualizada.
Se imprimen todos los miembros de tu proyecto que tienen la función de escritor de registros (roles/logging.logWriter).
Se revoca la función de escritor de registros.

Se reemplazan los siguientes valores antes de ejecutar el fragmento de código:

your-project: Es el ID del proyecto
your-member: Es la dirección de correo electrónico de la Cuenta de Google, con el prefijo user:. Por ejemplo, user:tanya@example.com.

C#

Si deseas obtener más información, consulta Resource Manager C# API reference documentation (Documentación de referencia de la API de Resource Manager para C#).

Ver en GitHub Comentarios


using Google.Apis.Auth.OAuth2;
using Google.Apis.CloudResourceManager.v1;
using Google.Apis.CloudResourceManager.v1.Data;
using Google.Apis.Iam.v1;
using System;
using System.Collections.Generic;
using System.Linq;

public class QuickStart
{
    public static void Main(string[] args)
    {
        // TODO: Replace with your project ID
        var projectId = "your-project";
        // TODO: Replace with the ID of your member in the form "user:member@example.com"
        var member = "your-member";
        // Role to be granted
        var role = "roles/logging.logWriter";

        // Initialize service
        CloudResourceManagerService crmService = InitializeService();

        // Grant your member the "Log Writer" role for your project
        AddBinding(crmService, projectId, member, role);

        // Get the project's policy and print all members with the the "Log Writer" role
        var policy = GetPolicy(crmService, projectId);
        var binding = policy.Bindings.FirstOrDefault(x => x.Role == role);
        Console.WriteLine("Role: " + binding.Role);
        Console.Write("Members: ");
        foreach (var m in binding.Members)
        {
            Console.Write("[" + m + "] ");
        }
        Console.WriteLine();

        // Remove member from the "Log Writer" role
        RemoveMember(crmService, projectId, member, role);
    }

    public static CloudResourceManagerService InitializeService()
    {
        // Get credentials
        var credential = GoogleCredential.GetApplicationDefault()
            .CreateScoped(IamService.Scope.CloudPlatform);

        // Create the Cloud Resource Manager service object
        CloudResourceManagerService crmService = new CloudResourceManagerService(
            new CloudResourceManagerService.Initializer
            {
                HttpClientInitializer = credential
            });

        return crmService;
    }

    public static Policy GetPolicy(CloudResourceManagerService crmService, String projectId)
    {
        // Get the project's policy by calling the
        // Cloud Resource Manager Projects API
        var policy = crmService.Projects.GetIamPolicy(
            new GetIamPolicyRequest(),
            projectId).Execute();
        return policy;
    }

    public static void SetPolicy(CloudResourceManagerService crmService, String projectId, Policy policy)
    {
        // Set the project's policy by calling the
        // Cloud Resource Manager Projects API
        crmService.Projects.SetIamPolicy(
           new SetIamPolicyRequest
           {
               Policy = policy
           }, projectId).Execute();
    }

    public static void AddBinding(
        CloudResourceManagerService crmService,
        string projectId,
        string member,
        string role)
    {
        // Get the project's policy
        var policy = GetPolicy(crmService, projectId);

        // Find binding in policy
        var binding = policy.Bindings.FirstOrDefault(x => x.Role == role);

        // If binding already exists, add member to binding
        if (binding != null)
        {
            binding.Members.Add(member);
        }
        // If binding does not exist, add binding to policy
        else
        {
            binding = new Binding
            {
                Role = role,
                Members = new List<string> { member }
            };
            policy.Bindings.Add(binding);
        }

        // Set the updated policy
        SetPolicy(crmService, projectId, policy);
    }

    public static void RemoveMember(
        CloudResourceManagerService crmService,
        string projectId,
        string member,
        string role)
    {
        // Get the project's policy
        var policy = GetPolicy(crmService, projectId);

        // Remove the member from the role
        var binding = policy.Bindings.FirstOrDefault(x => x.Role == role);
        if (binding == null)
        {
            Console.WriteLine("Role does not exist in policy.");
        }
        else
        {
            if (binding.Members.Contains(member))
            {
                binding.Members.Remove(member);
            }
            else
            {
                Console.WriteLine("The member has not been granted this role.");
            }

            if (binding.Members.Count == 0)
            {
                policy.Bindings.Remove(binding);
            }
        }

        // Set the updated policy
        SetPolicy(crmService, projectId, policy);
    }
}

Go

Si deseas obtener más información, consulta Resource Manager Go API reference documentation (Documentación de referencia de la API de Resource Manager para Go).

Ver en GitHub Comentarios


package main

import (
	"context"
	"flag"
	"fmt"
	"log"
	"strings"
	"time"

	"google.golang.org/api/cloudresourcemanager/v1"
)

func main() {
	// TODO: Add your project ID
	projectID := flag.String("project_id", "", "Cloud Project ID")
	// TODO: Add the ID of your member in the form "user:member@example.com"
	member := flag.String("member_id", "", "Your member ID")
	flag.Parse()

	// The role to be granted
	var role string = "roles/logging.logWriter"

	// Initializes the Cloud Resource Manager service
	ctx := context.Background()
	crmService, err := cloudresourcemanager.NewService(ctx)
	if err != nil {
		log.Fatalf("cloudresourcemanager.NewService: %v", err)
	}

	// Grants your member the "Log writer" role for your project
	addBinding(crmService, *projectID, *member, role)

	// Gets the project's policy and prints all members with the "Log Writer" role
	policy := getPolicy(crmService, *projectID)
	// Find the policy binding for role. Only one binding can have the role.
	var binding *cloudresourcemanager.Binding
	for _, b := range policy.Bindings {
		if b.Role == role {
			binding = b
			break
		}
	}
	fmt.Println("Role: ", binding.Role)
	fmt.Print("Members: ", strings.Join(binding.Members, ", "))

	// Removes member from the "Log writer" role
	removeMember(crmService, *projectID, *member, role)

}

// addBinding adds the member to the project's IAM policy
func addBinding(crmService *cloudresourcemanager.Service, projectID, member, role string) {

	policy := getPolicy(crmService, projectID)

	// Find the policy binding for role. Only one binding can have the role.
	var binding *cloudresourcemanager.Binding
	for _, b := range policy.Bindings {
		if b.Role == role {
			binding = b
			break
		}
	}

	if binding != nil {
		// If the binding exists, adds the member to the binding
		binding.Members = append(binding.Members, member)
	} else {
		// If the binding does not exist, adds a new binding to the policy
		binding = &cloudresourcemanager.Binding{
			Role:    role,
			Members: []string{member},
		}
		policy.Bindings = append(policy.Bindings, binding)
	}

	setPolicy(crmService, projectID, policy)

}

// removeMember removes the member from the project's IAM policy
func removeMember(crmService *cloudresourcemanager.Service, projectID, member, role string) {

	policy := getPolicy(crmService, projectID)

	// Find the policy binding for role. Only one binding can have the role.
	var binding *cloudresourcemanager.Binding
	var bindingIndex int
	for i, b := range policy.Bindings {
		if b.Role == role {
			binding = b
			bindingIndex = i
			break
		}
	}

	// Order doesn't matter for bindings or members, so to remove, move the last item
	// into the removed spot and shrink the slice.
	if len(binding.Members) == 1 {
		// If the member is the only member in the binding, removes the binding
		last := len(policy.Bindings) - 1
		policy.Bindings[bindingIndex] = policy.Bindings[last]
		policy.Bindings = policy.Bindings[:last]
	} else {
		// If there is more than one member in the binding, removes the member
		var memberIndex int
		for i, mm := range binding.Members {
			if mm == member {
				memberIndex = i
			}
		}
		last := len(policy.Bindings[bindingIndex].Members) - 1
		binding.Members[memberIndex] = binding.Members[last]
		binding.Members = binding.Members[:last]
	}

	setPolicy(crmService, projectID, policy)

}

// getPolicy gets the project's IAM policy
func getPolicy(crmService *cloudresourcemanager.Service, projectID string) *cloudresourcemanager.Policy {

	ctx := context.Background()

	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	request := new(cloudresourcemanager.GetIamPolicyRequest)
	policy, err := crmService.Projects.GetIamPolicy(projectID, request).Do()
	if err != nil {
		log.Fatalf("Projects.GetIamPolicy: %v", err)
	}

	return policy
}

// setPolicy sets the project's IAM policy
func setPolicy(crmService *cloudresourcemanager.Service, projectID string, policy *cloudresourcemanager.Policy) {

	ctx := context.Background()

	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	request := new(cloudresourcemanager.SetIamPolicyRequest)
	request.Policy = policy
	policy, err := crmService.Projects.SetIamPolicy(projectID, request).Do()
	if err != nil {
		log.Fatalf("Projects.SetIamPolicy: %v", err)
	}
}

Java

Si deseas obtener más información, consulta Resource Manager Java API reference documentation (Documentación de referencia de la API de Resource Manager para Java).

Ver en GitHub Comentarios

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.cloudresourcemanager.CloudResourceManager;
import com.google.api.services.cloudresourcemanager.model.Binding;
import com.google.api.services.cloudresourcemanager.model.GetIamPolicyRequest;
import com.google.api.services.cloudresourcemanager.model.Policy;
import com.google.api.services.cloudresourcemanager.model.SetIamPolicyRequest;
import com.google.api.services.iam.v1.IamScopes;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.auth.oauth2.GoogleCredentials;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Collections;
import java.util.List;

public class Quickstart {

  public static void main(String[] args) {
    // TODO: Replace with your project ID.
    String projectId = "your-project";
    // TODO: Replace with the ID of your member in the form "user:member@example.com"
    String member = "your-member";
    // The role to be granted.
    String role = "roles/logging.logWriter";

    // Initializes the Cloud Resource Manager service.
    CloudResourceManager crmService = null;
    try {
      crmService = initializeService();
    } catch (IOException | GeneralSecurityException e) {
      System.out.println("Unable to initialize service: \n" + e.getMessage() + e.getStackTrace());
    }

    // Grants your member the "Log writer" role for your project.
    addBinding(crmService, projectId, member, role);

    // Get the project's policy and print all members with the "Log Writer" role
    Policy policy = getPolicy(crmService, projectId);
    Binding binding = null;
    List<Binding> bindings = policy.getBindings();
    for (Binding b : bindings) {
      if (b.getRole().equals(role)) {
        binding = b;
        break;
      }
    }
    System.out.println("Role: " + binding.getRole());
    System.out.print("Members: ");
    for (String m : binding.getMembers()) {
      System.out.print("[" + m + "] ");
    }
    System.out.println();

    // Removes member from the "Log writer" role.
    removeMember(crmService, projectId, member, role);
  }

  public static CloudResourceManager initializeService()
      throws IOException, GeneralSecurityException {
    // Use the Application Default Credentials strategy for authentication. For more info, see:
    // https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
    GoogleCredentials credential =
        GoogleCredentials.getApplicationDefault()
            .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM));

    // Creates the Cloud Resource Manager service object.
    CloudResourceManager service =
        new CloudResourceManager.Builder(
                GoogleNetHttpTransport.newTrustedTransport(),
                JacksonFactory.getDefaultInstance(),
                new HttpCredentialsAdapter(credential))
            .setApplicationName("iam-quickstart")
            .build();
    return service;
  }

  public static void addBinding(
      CloudResourceManager crmService, String projectId, String member, String role) {

    // Gets the project's policy.
    Policy policy = getPolicy(crmService, projectId);

    // Finds binding in policy, if it exists
    Binding binding = null;
    for (Binding b : policy.getBindings()) {
      if (b.getRole().equals(role)) {
        binding = b;
        break;
      }
    }

    if (binding != null) {
      // If binding already exists, adds member to binding.
      binding.getMembers().add(member);
    } else {
      // If binding does not exist, adds binding to policy.
      binding = new Binding();
      binding.setRole(role);
      binding.setMembers(Collections.singletonList(member));
      policy.getBindings().add(binding);
    }

    // Sets the updated policy
    setPolicy(crmService, projectId, policy);
  }

  public static void removeMember(
      CloudResourceManager crmService, String projectId, String member, String role) {
    // Gets the project's policy.
    Policy policy = getPolicy(crmService, projectId);

    // Removes the member from the role.
    Binding binding = null;
    for (Binding b : policy.getBindings()) {
      if (b.getRole().equals(role)) {
        binding = b;
        break;
      }
    }
    if (binding.getMembers().contains(member)) {
      binding.getMembers().remove(member);
      if (binding.getMembers().isEmpty()) {
        policy.getBindings().remove(binding);
      }
    }

    // Sets the updated policy.
    setPolicy(crmService, projectId, policy);
  }

  public static Policy getPolicy(CloudResourceManager crmService, String projectId) {
    // Gets the project's policy by calling the
    // Cloud Resource Manager Projects API.
    Policy policy = null;
    try {
      GetIamPolicyRequest request = new GetIamPolicyRequest();
      policy = crmService.projects().getIamPolicy(projectId, request).execute();
    } catch (IOException e) {
      System.out.println("Unable to get policy: \n" + e.getMessage() + e.getStackTrace());
    }
    return policy;
  }

  private static void setPolicy(CloudResourceManager crmService, String projectId, Policy policy) {
    // Sets the project's policy by calling the
    // Cloud Resource Manager Projects API.
    try {
      SetIamPolicyRequest request = new SetIamPolicyRequest();
      request.setPolicy(policy);
      crmService.projects().setIamPolicy(projectId, request).execute();
    } catch (IOException e) {
      System.out.println("Unable to set policy: \n" + e.getMessage() + e.getStackTrace());
    }
  }
}

Python

Si deseas obtener más información, consulta Resource Manager Python API reference documentation (Documentación de referencia de la API de Resource Manager para Python).

Ver en GitHub Comentarios

import os

from google.oauth2 import service_account
import googleapiclient.discovery

def quickstart(project_id, member):
    """Gets a policy, adds a member, prints their permissions, and removes the member."""

    # Role to be granted.
    role = "roles/logging.logWriter"

    # Initializes service.
    crm_service = initialize_service()

    # Grants your member the 'Log Writer' role for the project.
    modify_policy_add_role(crm_service, project_id, role, member)

    # Gets the project's policy and prints all members with the 'Log Writer' role.
    policy = get_policy(crm_service, project_id)
    binding = next(b for b in policy["bindings"] if b["role"] == role)
    print(f'Role: {(binding["role"])}')
    print("Members: ")
    for m in binding["members"]:
        print(f'[{m}]')

    # Removes the member from the 'Log Writer' role.
    modify_policy_remove_member(crm_service, project_id, role, member)

def initialize_service():
    """Initializes a Cloud Resource Manager service."""

    credentials = service_account.Credentials.from_service_account_file(
        filename=os.environ["GOOGLE_APPLICATION_CREDENTIALS"],
        scopes=["https://www.googleapis.com/auth/cloud-platform"],
    )
    crm_service = googleapiclient.discovery.build(
        "cloudresourcemanager", "v1", credentials=credentials
    )
    return crm_service

def modify_policy_add_role(crm_service, project_id, role, member):
    """Adds a new role binding to a policy."""

    policy = get_policy(crm_service, project_id)

    binding = None
    for b in policy["bindings"]:
        if b["role"] == role:
            binding = b
            break
    if binding is not None:
        binding["members"].append(member)
    else:
        binding = {"role": role, "members": [member]}
        policy["bindings"].append(binding)

    set_policy(crm_service, project_id, policy)

def modify_policy_remove_member(crm_service, project_id, role, member):
    """Removes a  member from a role binding."""

    policy = get_policy(crm_service, project_id)

    binding = next(b for b in policy["bindings"] if b["role"] == role)
    if "members" in binding and member in binding["members"]:
        binding["members"].remove(member)

    set_policy(crm_service, project_id, policy)

def get_policy(crm_service, project_id, version=3):
    """Gets IAM policy for a project."""

    policy = (
        crm_service.projects()
        .getIamPolicy(
            resource=project_id,
            body={"options": {"requestedPolicyVersion": version}},
        )
        .execute()
    )
    return policy

def set_policy(crm_service, project_id, policy):
    """Sets IAM policy for a project."""

    policy = (
        crm_service.projects()
        .setIamPolicy(resource=project_id, body={"policy": policy})
        .execute()
    )
    return policy

if __name__ == '__main__':

    # TODO: replace with your project ID
    project_id = "your-project-id"
    # TODO: Replace with the ID of your member in the form 'user:member@example.com'.
    member = "your-member"
    quickstart(project_id, member)

Felicitaciones. Usaste los métodos de IAM en la API de Resource Manager para modificar el acceso de un proyecto.

¿Cómo te fue?

Limpia

Usa Cloud Console para borrar tu proyecto si no lo necesitas.

¿Qué sigue?

Obtén más información sobre cómo funciona IAM.
Obtén más información sobre cómo otorgar, cambiar y revocar el acceso a los recursos.
Soluciona los problemas de acceso con el Solucionador de problemas de políticas.