-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam_service.go
54 lines (45 loc) · 1.36 KB
/
iam_service.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
package backend
import (
"context"
"fmt"
"github.com/pkg/errors"
"github.com/vvakame/sdlog/aelog"
"golang.org/x/oauth2/google"
"google.golang.org/api/cloudresourcemanager/v1"
)
// AddSpannerIAM is SpannerのIAMをAccountに追加する
func AddSpannerIAM(ctx context.Context, googleAccount string, serviceAccounts []string) error {
const resource = "gcpug-public-spanner"
client, err := google.DefaultClient(ctx, cloudresourcemanager.CloudPlatformScope)
if err != nil {
return errors.WithStack(err)
}
s, err := cloudresourcemanager.New(client)
if err != nil {
return errors.WithStack(err)
}
p, err := s.Projects.GetIamPolicy(resource, &cloudresourcemanager.GetIamPolicyRequest{}).Do()
if err != nil {
return errors.WithStack(err)
}
bs := []*cloudresourcemanager.Binding{}
for _, b := range p.Bindings {
aelog.Infof(ctx, "%+v", b)
if b.Role == "roles/spanner.databaseAdmin" || b.Role == "roles/spanner.viewer" {
b.Members = append(b.Members, fmt.Sprintf("user:%s", googleAccount))
for _, sa := range serviceAccounts {
b.Members = append(b.Members, fmt.Sprintf("serviceAccount:%s", sa))
}
}
bs = append(bs, b)
}
_, err = s.Projects.SetIamPolicy(resource, &cloudresourcemanager.SetIamPolicyRequest{
Policy: &cloudresourcemanager.Policy{
Bindings: bs,
},
}).Do()
if err != nil {
return errors.WithStack(err)
}
return nil
}