python requests - Can't create cloudsql role for Service Account via api -


i have been trying use api create service accounts in gcp.

to create service account send following post request:

base_url = f"https://iam.googleapis.com/v1/projects/{project}/serviceaccounts" auth = f"?access_token={access_token}" data = {"accountid": name} # create service account r = requests.post(base_url + auth, json=data)

this returns 200 , creates service account:

then, code use create specific roles:

sa = f"{name}@dotmudus-service.iam.gserviceaccount.com" sa_url = base_url + f'/{sa}:setiampolicy' + auth data = {"policy":     {"bindings": [         {             "role": roles,             "members":                 [                     f"serviceaccount:{sa}"                 ]         }     ]} }

if roles set 1 of roles/viewer, roles/editor or roles/owner approach work. however, if want use, roles/cloudsql.viewer api tells me option not supported.

here roles. https://cloud.google.com/iam/docs/understanding-roles

i don't want give service account full viewer rights project, it's against principle of least privilege.

how can set specific roles api?

edit:

here response using resource manager api: roles/cloudsql.admin role

post https://cloudresourcemanager.googleapis.com/v1/projects/{project}:setiampolicy?key={your_api_key}  {  "policy": {   "bindings": [    {     "members": [      "serviceaccount:sa@{project}.iam.gserviceaccount.com"     ],     "role": "roles/cloudsql.viewer"    }   ]  } }   {   "error": {     "code": 400,     "message": "request contains invalid argument.",     "status": "invalid_argument",     "details": [       {         "@type": "type.googleapis.com/google.cloudresourcemanager.projects.v1beta1.projectiampolicyerror",         "type": "solo_require_tos_acceptor",         "role": "roles/owner"       }     ]   } }

with code provided appears appending first base_url not correct context modify project roles.

this try place appended path to: https://iam.googleapis.com/v1/projects/{project}/serviceaccount

the post path adding roles needs be: https://cloudresourcemanager.googleapis.com/v1/projects/{project]:setiampolicy

if remove /serviceaccounts base_url , should work.

edited response add more information due edit

ok, see issue here, sorry had set new project test this.

cloudresourcemanager.projects.setiampolicy needs replace entire policy. appears can add constraints change have submit complete policy in json project.

note gcloud has --log-http option dig through of these issues. if run 

gcloud projects add-iam-policy-binding $project --member serviceaccount:$name --role roles/cloudsql.viewer --log-http

it show how pulls existing existing policy, appends new role , adds it.

i recommend using example code provided here make these changes if don't want use gcloud or console add role user impact entire project.

hopefully improve api need.


Comments

Post a Comment

Popular posts from this blog

angular - Ionic slides - dynamically add slides before and after -

hi i'm using ngfor create set of 3 slides while starting in middle i'm guaranteed able slide left or right on start. when slide right can simple listen reachedend , push slide array i'm looping. but have problem adding slide beginning. if same above , use e.g. array.unshift() or spread add item beginning, view think it's on position 0 , snaps view new slide. the code below work animates slide change index 1. slide = [0,1,2] //example loop slidechanged(event) { if(this.slides.isbeginning()){ this.slide = [this.slide[0]-1, ...this.slide]; this.slides.update(); this.slides.slideto(1) } } <ion-slides [initialslide]="1" (ionslidedidchange)="slidechanged($event)"> <ion-slide *ngfor="let item of slide"> <h1>slide {{item}}</h1> </ion-slide> </ion-slides> any appreciated! you can using ionslidenextend , ionslideprevend events slides . please...
Read more

Add a dynamic header in angular 2 http provider -

i have http interceptor built via tutorial https://scotch.io/@kashyapmukkamala/using-http-interceptor-with-angular2 the problem need have dynamic header changes automatically once changes 'mode' in app. service able tell interceptor change header, or have interceptor pull header (which string)from service each request. able throwing away patch method, call http.patch('new header string') set header string. call in service controls 'mode' setting. wondering if there way interceptor pull recent value service each request or if can add method http provider via interceptor? i've tried call service in interceptor each request returns undefined. because creating new instance of service or copying value before service fired , loaded/changed data. i don't want pass header string every http provider call because defeats purpose of having interceptor, id able set once changes or have provider fetch service before makes request. tl;dr : need add autom...
Read more

minify - Minimizing css files -

i want know how css files can minimized. currently, using external sites css minifier compress css files. however, after removing whitespaces, comments, etc, file sizes reduced 10-15%. how frameworks bootstrap manage make minimized versions kilobytes. as example, css is: body { background-color: #ff0; } the reduction goes 28 bytes 22 bytes other css files have lot more characters still smaller this. actually minifying code means it's remove thing code white space characters new line characters comments block delimiters it reduces amount of code has transferred on web , speed site load fastly.but unreadable format.
Read more