Add IAM doc snippets (#1609)

* Add env/ and .vscode/ to .gitignore

* Add IAM requirements.txt

* Python Service account keys (#5)

Add IAM service account keys snippets

* Python Quickstart (#3)

Add IAM quickstart

* Python Service accounts (#4)

Add IAM service account snippets

* Add query grantable roles and tests (#2)

* Add whitespace and correct string formatting

* Add extra CR

* Lint

Author: awkoren

.gitignore

@@ -22,4 +22,4 @@ credentials.dat
 .nox
 .vscode/
 *sponge_log.xml
-.DS_store
+.DS_store

iam/api-client/grantable_roles.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+
+# Copyright 2018 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import os
+
+from google.oauth2 import service_account
+import googleapiclient.discovery
+
+credentials = service_account.Credentials.from_service_account_file(
+    filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
+    scopes=['https://www.googleapis.com/auth/cloud-platform'])
+service = googleapiclient.discovery.build(
+    'iam', 'v1', credentials=credentials)
+
+
+# [START iam_view_grantable_roles]
+def view_grantable_roles(full_resource_name):
+    roles = service.roles().queryGrantableRoles(body={
+        'fullResourceName': full_resource_name
+    }).execute()
+
+    for role in roles['roles']:
+        print('Title: ' + role['title'])
+        print('Name: ' + role['name'])
+        print('Description: ' + role['description'])
+        print(' ')
+# [END iam_view_grantable_roles]
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        'full_resource_name',
+        help='The full name of the resource to query grantable roles for.')
+
+    args = parser.parse_args()
+    view_grantable_roles(args.full_resource_name)

iam/api-client/grantable_roles_test.py

@@ -0,0 +1,25 @@
+# Copyright 2016 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+import grantable_roles
+
+
+def test_service_accounts(capsys):
+    project = os.environ['GCLOUD_PROJECT']
+    resource = '//cloudresourcemanager.googleapis.com/projects/' + project
+    grantable_roles.view_grantable_roles(resource)
+    out, _ = capsys.readouterr()
+    assert 'Title:' in out

iam/api-client/quickstart.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+
+# Copyright 2018 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+def quickstart():
+    # [START iam_quickstart]
+    import os
+
+    from google.oauth2 import service_account
+    import googleapiclient.discovery
+
+    # Get credentials
+    credentials = service_account.Credentials.from_service_account_file(
+        filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
+        scopes=['https://www.googleapis.com/auth/cloud-platform'])
+
+    # Create the Cloud IAM service object
+    service = googleapiclient.discovery.build(
+        'iam', 'v1', credentials=credentials)
+
+    # Call the Cloud IAM Roles API
+    # If using pylint, disable weak-typing warnings
+    # pylint: disable=no-member
+    response = service.roles().list().execute()
+    roles = response['roles']
+
+    # Process the response
+    for role in roles:
+        print('Title: ' + role['title'])
+        print('Name: ' + role['name'])
+        print('Description: ' + role['description'])
+        print('')
+    # [END iam_quickstart]
+
+
+if __name__ == '__main__':
+    quickstart()

iam/api-client/quickstart_test.py

@@ -0,0 +1,21 @@
+# Copyright 2018 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import quickstart
+
+
+def test_quickstart(capsys):
+    quickstart.quickstart()
+    out, _ = capsys.readouterr()
+    assert 'Title' in out

iam/api-client/requirements.txt

@@ -0,0 +1,3 @@
+google-api-python-client==1.7.3
+google-auth==1.5.0
+google-auth-httplib2==0.0.3

iam/api-client/service_account_keys.py

@@ -0,0 +1,101 @@
+#!/usr/bin/env python
+
+# Copyright 2018 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Demonstrates how to perform basic operations with Google Cloud IAM
+service account keys.
+
+For more information, see the documentation at
+https://cloud.google.com/iam/docs/creating-managing-service-account-keys.
+"""
+
+import argparse
+import os
+
+from google.oauth2 import service_account
+import googleapiclient.discovery
+
+credentials = service_account.Credentials.from_service_account_file(
+    filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
+    scopes=['https://www.googleapis.com/auth/cloud-platform'])
+service = googleapiclient.discovery.build(
+    'iam', 'v1', credentials=credentials)
+
+
+# [START iam_create_key]
+def create_key(service_account_email):
+    """Creates a key for a service account."""
+
+    # pylint: disable=no-member
+    key = service.projects().serviceAccounts().keys().create(
+        name='projects/-/serviceAccounts/' + service_account_email, body={}
+        ).execute()
+
+    print('Created key: ' + key['name'])
+# [END iam_create_key]
+
+
+# [START iam_list_keys]
+def list_keys(service_account_email):
+    """Lists all keys for a service account."""
+
+    # pylint: disable=no-member
+    keys = service.projects().serviceAccounts().keys().list(
+        name='projects/-/serviceAccounts/' + service_account_email).execute()
+
+    for key in keys['keys']:
+        print('Key: ' + key['name'])
+# [END iam_list_keys]
+
+
+# [START iam_delete_key]
+def delete_key(full_key_name):
+    """Deletes a service account key."""
+
+    # pylint: disable=no-member
+    service.projects().serviceAccounts().keys().delete(
+        name=full_key_name).execute()
+
+    print('Deleted key: ' + full_key_name)
+# [END iam_delete_key]
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        description=__doc__,
+        formatter_class=argparse.RawDescriptionHelpFormatter)
+
+    subparsers = parser.add_subparsers(dest='command')
+
+    create_key_parser = subparsers.add_parser(
+        'create', help=create_key.__doc__)
+    create_key_parser.add_argument('service_account_email')
+
+    list_keys_parser = subparsers.add_parser(
+        'list', help=list_keys.__doc__)
+    list_keys_parser.add_argument('service_account_email')
+
+    delete_key_parser = subparsers.add_parser(
+        'delete', help=delete_key.__doc__)
+    delete_key_parser.add_argument('full_key_name')
+
+    args = parser.parse_args()
+
+    if args.command == 'list':
+        list_keys(args.service_account_email)
+    elif args.command == 'create':
+        create_key(args.service_account_email)
+    elif args.command == 'delete':
+        delete_key(args.full_key_name)