设置 roles/secretmanager.secretAccessor 政策。
包含此代码示例的文档页面
代码示例
C#
如需了解如何安装和使用 Secret Manager 客户端库,请参阅 Secret Manager 客户端库。
using Google.Cloud.SecretManager.V1;
using Google.Cloud.Iam.V1;
public class IamGrantAccessSample
{
public Policy IamGrantAccess(
string projectId = "my-project", string secretId = "my-secret",
string member = "user:foo@example.com")
{
// Create the client.
SecretManagerServiceClient client = SecretManagerServiceClient.Create();
// Build the resource name.
SecretName secretName = new SecretName(projectId, secretId);
// Get current policy.
Policy policy = client.GetIamPolicy(new GetIamPolicyRequest
{
ResourceAsResourceName = secretName,
});
// Add the user to the list of bindings.
policy.AddRoleMember("roles/secretmanager.secretAccessor", member);
// Save the updated policy.
policy = client.SetIamPolicy(new SetIamPolicyRequest
{
ResourceAsResourceName = secretName,
Policy = policy,
});
return policy;
}
}
Go
如需了解如何安装和使用 Secret Manager 客户端库,请参阅 Secret Manager 客户端库。
import (
"context"
"fmt"
"io"
secretmanager "cloud.google.com/go/secretmanager/apiv1"
)
// iamGrantAccess grants the given member access to the secret.
func iamGrantAccess(w io.Writer, name, member string) error {
// name := "projects/my-project/secrets/my-secret"
// member := "user:foo@example.com"
// Create the client.
ctx := context.Background()
client, err := secretmanager.NewClient(ctx)
if err != nil {
return fmt.Errorf("failed to create secretmanager client: %v", err)
}
// Get the current IAM policy.
handle := client.IAM(name)
policy, err := handle.Policy(ctx)
if err != nil {
return fmt.Errorf("failed to get policy: %v", err)
}
// Grant the member access permissions.
policy.Add(member, "roles/secretmanager.secretAccessor")
if err = handle.SetPolicy(ctx, policy); err != nil {
return fmt.Errorf("failed to save policy: %v", err)
}
fmt.Fprintf(w, "Updated IAM policy for %s\n", name)
return nil
}
Java
如需了解如何安装和使用 Secret Manager 客户端库,请参阅 Secret Manager 客户端库。
import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
import com.google.cloud.secretmanager.v1.SecretName;
import com.google.iam.v1.Binding;
import com.google.iam.v1.GetIamPolicyRequest;
import com.google.iam.v1.Policy;
import com.google.iam.v1.SetIamPolicyRequest;
import java.io.IOException;
public class IamGrantAccess {
public void iamGrantAccess() throws IOException {
// TODO(developer): Replace these variables before running the sample.
String projectId = "your-project-id";
String secretId = "your-secret-id";
String member = "user:foo@example.com";
iamGrantAccess(projectId, secretId, member);
}
// Grant a member access to a particular secret.
public void iamGrantAccess(String projectId, String secretId, String member) throws IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
// Build the name from the version.
SecretName secretName = SecretName.of(projectId, secretId);
// Request the current IAM policy.
Policy currentPolicy =
client.getIamPolicy(
GetIamPolicyRequest.newBuilder().setResource(secretName.toString()).build());
// Build the new binding.
Binding binding =
Binding.newBuilder()
.setRole("roles/secretmanager.secretAccessor")
.addMembers(member)
.build();
// Create a new IAM policy from the current policy, adding the binding.
Policy newPolicy = Policy.newBuilder().mergeFrom(currentPolicy).addBindings(binding).build();
// Save the updated IAM policy.
client.setIamPolicy(
SetIamPolicyRequest.newBuilder()
.setResource(secretName.toString())
.setPolicy(newPolicy)
.build());
System.out.printf("Updated IAM policy for %s\n", secretId);
}
}
}
Node.js
如需了解如何安装和使用 Secret Manager 客户端库,请参阅 Secret Manager 客户端库。
/**
* TODO(developer): Uncomment these variables before running the sample.
*/
// const name = 'projects/my-project/secrets/my-secret';
// const member = 'user:you@example.com';
//
// NOTE: Each member must be prefixed with its type. See the IAM documentation
// for more information: https://cloud.google.com/iam/docs/overview.
// Imports the Secret Manager library
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');
// Instantiates a client
const client = new SecretManagerServiceClient();
async function grantAccess() {
// Get the current IAM policy.
const [policy] = await client.getIamPolicy({
resource: name,
});
// Add the user with accessor permissions to the bindings list.
policy.bindings.push({
role: 'roles/secretmanager.secretAccessor',
members: [member],
});
// Save the updated IAM policy.
await client.setIamPolicy({
resource: name,
policy: policy,
});
console.log(`Updated IAM policy for ${name}`);
}
grantAccess();
PHP
如需了解如何安装和使用 Secret Manager 客户端库,请参阅 Secret Manager 客户端库。
// Import the Secret Manager client library.
use Google\Cloud\SecretManager\V1\SecretManagerServiceClient;
// Import the Secret Manager IAM library.
use Google\Cloud\Iam\V1\Binding;
/** Uncomment and populate these variables in your code */
// $projectId = 'YOUR_GOOGLE_CLOUD_PROJECT' (e.g. 'my-project');
// $secretId = 'YOUR_SECRET_ID' (e.g. 'my-secret');
// $member = 'YOUR_MEMBER' (e.g. 'user:foo@example.com');
// Create the Secret Manager client.
$client = new SecretManagerServiceClient();
// Build the resource name of the secret.
$name = $client->secretName($projectId, $secretId);
// Get the current IAM policy.
$policy = $client->getIamPolicy($name);
// Update the bindings to include the new member.
$bindings = $policy->getBindings();
$bindings[] = new Binding([
'members' => [$member],
'role' => 'roles/secretmanager.secretAccessor',
]);
$policy->setBindings($bindings);
// Save the updated policy to the server.
$client->setIamPolicy($name, $policy);
// Print out a success message.
printf('Updated IAM policy for %s', $secretId);
Python
如需了解如何安装和使用 Secret Manager 客户端库,请参阅 Secret Manager 客户端库。
def iam_grant_access(project_id, secret_id, member):
"""
Grant the given member access to a secret.
"""
# Import the Secret Manager client library.
from google.cloud import secretmanager
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret.
name = client.secret_path(project_id, secret_id)
# Get the current IAM policy.
policy = client.get_iam_policy(request={"resource": name})
# Add the given member with access permissions.
policy.bindings.add(role="roles/secretmanager.secretAccessor", members=[member])
# Update the IAM Policy.
new_policy = client.set_iam_policy(request={"resource": name, "policy": policy})
# Print data about the secret.
print("Updated IAM policy on {}".format(secret_id))
Ruby
如需了解如何安装和使用 Secret Manager 客户端库,请参阅 Secret Manager 客户端库。
# project_id = "YOUR-GOOGLE-CLOUD-PROJECT" # (e.g. "my-project")
# secret_id = "YOUR-SECRET-ID" # (e.g. "my-secret")
# member = "USER-OR-ACCOUNT" # (e.g. "user:foo@example.com")
# Require the Secret Manager client library.
require "google/cloud/secret_manager"
# Create a Secret Manager client.
client = Google::Cloud::SecretManager.secret_manager_service
# Build the resource name of the secret.
name = client.secret_path project: project_id, secret: secret_id
# Get the current IAM policy.
policy = client.get_iam_policy resource: name
# Add new member to current bindings
policy.bindings << Google::Iam::V1::Binding.new(
members: [member],
role: "roles/secretmanager.secretAccessor"
)
# Update IAM policy
new_policy = client.set_iam_policy resource: name, policy: policy
# Print a success message.
puts "Updated IAM policy for #{secret_id}"