演示 IAM 的基本用法。
深入探索
如需查看包含此代码示例的详细文档,请参阅以下内容:
代码示例
C++
如需了解如何安装和使用 IAM 客户端库,请参阅 IAM 客户端库。 如需了解详情,请参阅 IAM C++ API 参考文档。
如需向 IAM 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
#include "google/cloud/iam/admin/v1/iam_client.h"
#include "google/cloud/project.h"
#include <iostream>
int main(int argc, char* argv[]) try {
if (argc != 2) {
std::cerr << "Usage: " << argv[0] << " <project-id>\n";
return 1;
}
// Create a namespace alias to make the code easier to read.
namespace iam = ::google::cloud::iam_admin_v1;
iam::IAMClient client(iam::MakeIAMConnection());
auto const project = google::cloud::Project(argv[1]);
std::cout << "Service Accounts for project: " << project.project_id() << "\n";
int count = 0;
for (auto sa : client.ListServiceAccounts(project.FullName())) {
if (!sa) throw std::move(sa).status();
std::cout << sa->name() << "\n";
++count;
}
if (count == 0) std::cout << "No Service Accounts found.\n";
return 0;
} catch (google::cloud::Status const& status) {
std::cerr << "google::cloud::Status thrown: " << status << "\n";
return 1;
}C#
如需了解如何安装和使用 IAM 客户端库,请参阅 IAM 客户端库。 如需了解详情,请参阅 IAM C# API 参考文档。
如需向 IAM 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
using Google.Apis.Auth.OAuth2;
using Google.Apis.CloudResourceManager.v1;
using Google.Apis.CloudResourceManager.v1.Data;
using Google.Apis.Iam.v1;
using System;
using System.Collections.Generic;
using System.Linq;
public class QuickStart
{
public static void Main(string[] args)
{
// TODO: Replace with your project ID
var projectId = "your-project";
// TODO: Replace with the ID of your member in the form "user:member@example.com"
var member = "your-member";
// Role to be granted
var role = "roles/logging.logWriter";
// Initialize service
CloudResourceManagerService crmService = InitializeService();
// Grant your member the "Log Writer" role for your project
AddBinding(crmService, projectId, member, role);
// Get the project's policy and print all members with the the "Log Writer" role
var policy = GetPolicy(crmService, projectId);
var binding = policy.Bindings.FirstOrDefault(x => x.Role == role);
Console.WriteLine("Role: " + binding.Role);
Console.Write("Members: ");
foreach (var m in binding.Members)
{
Console.Write("[" + m + "] ");
}
Console.WriteLine();
// Remove member from the "Log Writer" role
RemoveMember(crmService, projectId, member, role);
}
public static CloudResourceManagerService InitializeService()
{
// Get credentials
var credential = GoogleCredential.GetApplicationDefault()
.CreateScoped(IamService.Scope.CloudPlatform);
// Create the Cloud Resource Manager service object
CloudResourceManagerService crmService = new CloudResourceManagerService(
new CloudResourceManagerService.Initializer
{
HttpClientInitializer = credential
});
return crmService;
}
public static Policy GetPolicy(CloudResourceManagerService crmService, String projectId)
{
// Get the project's policy by calling the
// Cloud Resource Manager Projects API
var policy = crmService.Projects.GetIamPolicy(
new GetIamPolicyRequest(),
projectId).Execute();
return policy;
}
public static void SetPolicy(CloudResourceManagerService crmService, String projectId, Policy policy)
{
// Set the project's policy by calling the
// Cloud Resource Manager Projects API
crmService.Projects.SetIamPolicy(
new SetIamPolicyRequest
{
Policy = policy
}, projectId).Execute();
}
public static void AddBinding(
CloudResourceManagerService crmService,
string projectId,
string member,
string role)
{
// Get the project's policy
var policy = GetPolicy(crmService, projectId);
// Find binding in policy
var binding = policy.Bindings.FirstOrDefault(x => x.Role == role);
// If binding already exists, add member to binding
if (binding != null)
{
binding.Members.Add(member);
}
// If binding does not exist, add binding to policy
else
{
binding = new Binding
{
Role = role,
Members = new List<string> { member }
};
policy.Bindings.Add(binding);
}
// Set the updated policy
SetPolicy(crmService, projectId, policy);
}
public static void RemoveMember(
CloudResourceManagerService crmService,
string projectId,
string member,
string role)
{
// Get the project's policy
var policy = GetPolicy(crmService, projectId);
// Remove the member from the role
var binding = policy.Bindings.FirstOrDefault(x => x.Role == role);
if (binding == null)
{
Console.WriteLine("Role does not exist in policy.");
}
else
{
if (binding.Members.Contains(member))
{
binding.Members.Remove(member);
}
else
{
Console.WriteLine("The member has not been granted this role.");
}
if (binding.Members.Count == 0)
{
policy.Bindings.Remove(binding);
}
}
// Set the updated policy
SetPolicy(crmService, projectId, policy);
}
}Go
如需了解如何安装和使用 IAM 客户端库,请参阅 IAM 客户端库。 如需了解详情,请参阅 IAM Go API 参考文档。
如需向 IAM 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
package main
import (
"context"
"flag"
"fmt"
"log"
"strings"
"time"
"google.golang.org/api/cloudresourcemanager/v1"
)
func main() {
// TODO: Add your project ID
projectID := flag.String("project_id", "", "Cloud Project ID")
// TODO: Add the ID of your member in the form "user:member@example.com"
member := flag.String("member_id", "", "Your member ID")
flag.Parse()
// The role to be granted
var role string = "roles/logging.logWriter"
// Initializes the Cloud Resource Manager service
ctx := context.Background()
crmService, err := cloudresourcemanager.NewService(ctx)
if err != nil {
log.Fatalf("cloudresourcemanager.NewService: %v", err)
}
// Grants your member the "Log writer" role for your project
addBinding(crmService, *projectID, *member, role)
// Gets the project's policy and prints all members with the "Log Writer" role
policy := getPolicy(crmService, *projectID)
// Find the policy binding for role. Only one binding can have the role.
var binding *cloudresourcemanager.Binding
for _, b := range policy.Bindings {
if b.Role == role {
binding = b
break
}
}
fmt.Println("Role: ", binding.Role)
fmt.Print("Members: ", strings.Join(binding.Members, ", "))
// Removes member from the "Log writer" role
removeMember(crmService, *projectID, *member, role)
}
// addBinding adds the member to the project's IAM policy
func addBinding(crmService *cloudresourcemanager.Service, projectID, member, role string) {
policy := getPolicy(crmService, projectID)
// Find the policy binding for role. Only one binding can have the role.
var binding *cloudresourcemanager.Binding
for _, b := range policy.Bindings {
if b.Role == role {
binding = b
break
}
}
if binding != nil {
// If the binding exists, adds the member to the binding
binding.Members = append(binding.Members, member)
} else {
// If the binding does not exist, adds a new binding to the policy
binding = &cloudresourcemanager.Binding{
Role: role,
Members: []string{member},
}
policy.Bindings = append(policy.Bindings, binding)
}
setPolicy(crmService, projectID, policy)
}
// removeMember removes the member from the project's IAM policy
func removeMember(crmService *cloudresourcemanager.Service, projectID, member, role string) {
policy := getPolicy(crmService, projectID)
// Find the policy binding for role. Only one binding can have the role.
var binding *cloudresourcemanager.Binding
var bindingIndex int
for i, b := range policy.Bindings {
if b.Role == role {
binding = b
bindingIndex = i
break
}
}
// Order doesn't matter for bindings or members, so to remove, move the last item
// into the removed spot and shrink the slice.
if len(binding.Members) == 1 {
// If the member is the only member in the binding, removes the binding
last := len(policy.Bindings) - 1
policy.Bindings[bindingIndex] = policy.Bindings[last]
policy.Bindings = policy.Bindings[:last]
} else {
// If there is more than one member in the binding, removes the member
var memberIndex int
for i, mm := range binding.Members {
if mm == member {
memberIndex = i
}
}
last := len(policy.Bindings[bindingIndex].Members) - 1
binding.Members[memberIndex] = binding.Members[last]
binding.Members = binding.Members[:last]
}
setPolicy(crmService, projectID, policy)
}
// getPolicy gets the project's IAM policy
func getPolicy(crmService *cloudresourcemanager.Service, projectID string) *cloudresourcemanager.Policy {
ctx := context.Background()
ctx, cancel := context.WithTimeout(ctx, time.Second*10)
defer cancel()
request := new(cloudresourcemanager.GetIamPolicyRequest)
policy, err := crmService.Projects.GetIamPolicy(projectID, request).Do()
if err != nil {
log.Fatalf("Projects.GetIamPolicy: %v", err)
}
return policy
}
// setPolicy sets the project's IAM policy
func setPolicy(crmService *cloudresourcemanager.Service, projectID string, policy *cloudresourcemanager.Policy) {
ctx := context.Background()
ctx, cancel := context.WithTimeout(ctx, time.Second*10)
defer cancel()
request := new(cloudresourcemanager.SetIamPolicyRequest)
request.Policy = policy
policy, err := crmService.Projects.SetIamPolicy(projectID, request).Do()
if err != nil {
log.Fatalf("Projects.SetIamPolicy: %v", err)
}
}
Java
如需了解如何安装和使用 IAM 客户端库,请参阅 IAM 客户端库。 如需了解详情,请参阅 IAM Java API 参考文档。
如需向 IAM 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import com.google.cloud.iam.admin.v1.IAMClient;
import com.google.iam.admin.v1.ServiceAccountName;
import com.google.iam.v1.Binding;
import com.google.iam.v1.GetIamPolicyRequest;
import com.google.iam.v1.Policy;
import com.google.iam.v1.SetIamPolicyRequest;
import com.google.protobuf.FieldMask;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
public class Quickstart {
public static void main(String[] args) throws IOException {
// TODO: Replace with your project ID.
String projectId = "your-project";
// TODO: Replace with your service account name.
String serviceAccount = "your-service-account";
// TODO: Replace with the ID of your member in the form "user:member@example.com"
String member = "your-member";
// The role to be granted.
String role = "roles/logging.logWriter";
quickstart(projectId, serviceAccount, member, role);
}
// Creates new policy and adds binding.
// Checks if changes are present and removes policy.
public static void quickstart(String projectId, String serviceAccount,
String member, String role) throws IOException {
// Construct the service account email.
// You can modify the ".iam.gserviceaccount.com" to match the name of the service account
// to use for authentication.
serviceAccount = serviceAccount + "@" + projectId + ".iam.gserviceaccount.com";
// Initialize client that will be used to send requests.
// This client only needs to be created once, and can be reused for multiple requests.
try (IAMClient iamClient = IAMClient.create()) {
// Grants your member the "Log writer" role for your project.
addBinding(iamClient, projectId, serviceAccount, member, role);
// Get the project's policy and print all members with the "Log Writer" role
Policy policy = getPolicy(iamClient, projectId, serviceAccount);
Binding binding = null;
List<Binding> bindings = policy.getBindingsList();
for (Binding b : bindings) {
if (b.getRole().equals(role)) {
binding = b;
break;
}
}
System.out.println("Role: " + binding.getRole());
System.out.print("Members: ");
for (String m : binding.getMembersList()) {
System.out.print("[" + m + "] ");
}
System.out.println();
// Removes member from the "Log writer" role.
removeMember(iamClient, projectId, serviceAccount, member, role);
}
}
public static void addBinding(IAMClient iamClient, String projectId, String serviceAccount,
String member, String role) {
// Gets the project's policy.
Policy policy = getPolicy(iamClient, projectId, serviceAccount);
// If policy is not retrieved, return early.
if (policy == null) {
return;
}
Policy.Builder updatedPolicy = policy.toBuilder();
// Get the binding if present in the policy.
Binding binding = null;
for (Binding b : updatedPolicy.getBindingsList()) {
if (b.getRole().equals(role)) {
binding = b;
break;
}
}
if (binding != null) {
// If binding already exists, adds member to binding.
binding.getMembersList().add(member);
} else {
// If binding does not exist, adds binding to policy.
binding = Binding.newBuilder()
.setRole(role)
.addMembers(member)
.build();
updatedPolicy.addBindings(binding);
}
// Sets the updated policy.
setPolicy(iamClient, projectId, serviceAccount, updatedPolicy.build());
}
public static void removeMember(IAMClient iamClient, String projectId, String serviceAccount,
String member, String role) {
// Gets the project's policy.
Policy.Builder policy = getPolicy(iamClient, projectId, serviceAccount).toBuilder();
// Removes the member from the role.
Binding binding = null;
for (Binding b : policy.getBindingsList()) {
if (b.getRole().equals(role)) {
binding = b;
break;
}
}
if (binding != null && binding.getMembersList().contains(member)) {
List<String> newMemberList = new ArrayList<>(binding.getMembersList());
newMemberList.remove(member);
Binding newBinding = binding.toBuilder().clearMembers()
.addAllMembers(newMemberList)
.build();
List<Binding> newBindingList = new ArrayList<>(policy.getBindingsList());
newBindingList.remove(binding);
if (!newBinding.getMembersList().isEmpty()) {
newBindingList.add(newBinding);
}
policy.clearBindings()
.addAllBindings(newBindingList);
}
// Sets the updated policy.
setPolicy(iamClient, projectId, serviceAccount, policy.build());
}
public static Policy getPolicy(IAMClient iamClient, String projectId, String serviceAccount) {
// Gets the project's policy by calling the
// IAMClient API.
GetIamPolicyRequest request = GetIamPolicyRequest.newBuilder()
.setResource(ServiceAccountName.of(projectId, serviceAccount).toString())
.build();
return iamClient.getIamPolicy(request);
}
private static void setPolicy(IAMClient iamClient, String projectId,
String serviceAccount, Policy policy) {
List<String> paths = Arrays.asList("bindings", "etag");
// Sets a project's policy.
SetIamPolicyRequest request = SetIamPolicyRequest.newBuilder()
.setResource(ServiceAccountName.of(projectId, serviceAccount).toString())
.setPolicy(policy)
// A FieldMask specifying which fields of the policy to modify. Only
// the fields in the mask will be modified. If no mask is provided, the
// following default mask is used:
// `paths: "bindings, etag"`
.setUpdateMask(FieldMask.newBuilder().addAllPaths(paths).build())
.build();
iamClient.setIamPolicy(request);
}
}Python
如需了解如何安装和使用 IAM 客户端库,请参阅 IAM 客户端库。 如需了解详情,请参阅 IAM Python API 参考文档。
如需向 IAM 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
from google.cloud import resourcemanager_v3
from google.iam.v1 import iam_policy_pb2, policy_pb2
def quickstart(project_id: str, member: str) -> None:
"""Gets a policy, adds a member, prints their permissions, and removes the member.
project_id: ID or number of the Google Cloud project you want to use.
member: The principals requesting the access.
"""
# Role to be granted.
role = "roles/logging.logWriter"
crm_service = resourcemanager_v3.ProjectsClient()
# Grants your member the 'Log Writer' role for the project.
modify_policy_add_role(crm_service, project_id, role, member)
# Gets the project's policy and prints all members with the 'Log Writer' role.
policy = get_policy(crm_service, project_id)
binding = next(b for b in policy.bindings if b.role == role)
print(f"Role: {(binding.role)}")
print("Members: ")
for m in binding.members:
print(f"[{m}]")
# Removes the member from the 'Log Writer' role.
modify_policy_remove_member(crm_service, project_id, role, member)
def get_policy(
crm_service: resourcemanager_v3.ProjectsClient, project_id: str
) -> policy_pb2.Policy:
"""Gets IAM policy for a project."""
request = iam_policy_pb2.GetIamPolicyRequest()
request.resource = f"projects/{project_id}"
policy = crm_service.get_iam_policy(request)
return policy
def set_policy(
crm_service: resourcemanager_v3.ProjectsClient,
project_id: str,
policy: policy_pb2.Policy,
) -> None:
"""Adds a new role binding to a policy."""
request = iam_policy_pb2.SetIamPolicyRequest()
request.resource = f"projects/{project_id}"
request.policy.CopyFrom(policy)
crm_service.set_iam_policy(request)
def modify_policy_add_role(
crm_service: resourcemanager_v3.ProjectsClient,
project_id: str,
role: str,
member: str,
) -> None:
"""Adds a new role binding to a policy."""
policy = get_policy(crm_service, project_id)
for bind in policy.bindings:
if bind.role == role:
bind.members.append(member)
break
else:
binding = policy_pb2.Binding()
binding.role = role
binding.members.append(member)
policy.bindings.append(binding)
set_policy(crm_service, project_id, policy)
def modify_policy_remove_member(
crm_service: resourcemanager_v3.ProjectsClient,
project_id: str,
role: str,
member: str,
) -> None:
"""Removes a member from a role binding."""
policy = get_policy(crm_service, project_id)
for bind in policy.bindings:
if bind.role == role:
if member in bind.members:
bind.members.remove(member)
break
set_policy(crm_service, project_id, policy)
if __name__ == "__main__":
# TODO: replace with your project ID
project_id = "your-project-id"
# TODO: Replace with the ID of your member in the form 'user:member@example.com'.
member = "your-member"
quickstart(project_id, member)后续步骤
如需搜索和过滤其他 Google Cloud 产品的代码示例,请参阅 Google Cloud 示例浏览器。