import (
"context"
"fmt"
"io"
securitycenter "cloud.google.com/go/securitycenter/apiv1"
iam "google.golang.org/genproto/googleapis/iam/v1"
)
// setSourceIamPolicy grants user roles/securitycenter.findingsEditor permision
// for a source. sourceName is the full resource name of the source to be
// updated. user is an email address that IAM can grant permissions to.
func setSourceIamPolicy(w io.Writer, sourceName string, user string) error {
// sourceName := "organizations/111122222444/sources/1234"
// user := "someuser@some_domain.com
// Instantiate a context and a security service client to make API calls.
ctx := context.Background()
client, err := securitycenter.NewClient(ctx)
if err != nil {
return fmt.Errorf("securitycenter.NewClient: %v", err)
}
defer client.Close() // Closing the client safely cleans up background resources.
// Retrieve the existing policy so we can update only a specific
// field.
existing, err := client.GetIamPolicy(ctx, &iam.GetIamPolicyRequest{
Resource: sourceName,
})
if err != nil {
return fmt.Errorf("GetIamPolicy(%s): %v", sourceName, err)
}
req := &iam.SetIamPolicyRequest{
Resource: sourceName,
Policy: &iam.Policy{
// Enables partial update of existing policy
Etag: existing.Etag,
Bindings: []*iam.Binding{{
Role: "roles/securitycenter.findingsEditor",
// New IAM Binding for the user.
Members: []string{fmt.Sprintf("user:%s", user)},
},
},
},
}
policy, err := client.SetIamPolicy(ctx, req)
if err != nil {
return fmt.Errorf("SetIamPolicy(%s, %v): %v", sourceName, req.Policy, err)
}
fmt.Fprint(w, "Bindings:\n")
for _, binding := range policy.Bindings {
for _, member := range binding.Members {
fmt.Fprintf(w, "Principal: %s Role: %s\n", member, binding.Role)
}
}
return nil
}
// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');
// Creates a new client.
const client = new SecurityCenterClient();
async function setSourceIamPolicy() {
// sourceName is the full resource name of the source to be
// updated.
// user is an email address that IAM can grant permissions to.
/*
* TODO(developer): Uncomment the following lines
*/
// const sourceName = "organizations/111122222444/sources/1234";
// const user = "someuser@domain.com";
const [existingPolicy] = await client.getIamPolicy({
resource: sourceName,
});
const [updatedPolicy] = await client.setIamPolicy({
resource: sourceName,
policy: {
// Enables partial update of existing policy
etag: existingPolicy.etag,
bindings: [
{
role: 'roles/securitycenter.findingsEditor',
// New IAM Binding for the user.
members: [`user:${user}`],
},
],
},
});
console.log('Updated policy: %j', updatedPolicy);
}
setSourceIamPolicy();
from google.cloud import securitycenter
from google.iam.v1 import policy_pb2
client = securitycenter.SecurityCenterClient()
# source_name is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
# Get the old policy so we can do an incremental update.
old_policy = client.get_iam_policy(request={"resource": source_name})
print("Old Policy: {}".format(old_policy))
# Setup a new IAM binding.
binding = policy_pb2.Binding()
binding.role = "roles/securitycenter.findingsEditor"
# user_email is an e-mail address known to Cloud IAM (e.g. a gmail address).
# user_mail = user@somedomain.com
binding.members.append("user:{}".format(user_email))
# Setting the e-tag avoids over-write existing policy
updated = client.set_iam_policy(
request={
"resource": source_name,
"policy": {"etag": old_policy.etag, "bindings": [binding]},
}
)
print("Updated Policy: {}".format(updated))