com.google.api.services.iam.v1.model.ServiceAccount Java Examples

The following examples show how to use com.google.api.services.iam.v1.model.ServiceAccount. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ServiceAccountCleanupTest.java    From styx with Apache License 2.0 6 votes vote down vote up 
@Test
public void deleteExpiredTestServiceAccounts() throws IOException {
  var iam = new Iam.Builder(
      Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(),
      GoogleCredential.getApplicationDefault().createScoped(IamScopes.all()))
      .setApplicationName(TestNamespaces.TEST_NAMESPACE_PREFIX)
      .build();

  var accounts = listServiceAccounts(iam);

  for (final ServiceAccount account : accounts) {
    var displayName = account.getDisplayName();
    if (displayName == null || !TestNamespaces.isExpiredTestNamespace(displayName, NOW)) {
      continue;
    }
    log.info("Deleting old test service account: {}", account.getEmail());
    try {
      var request = iam.projects().serviceAccounts()
          .delete("projects/styx-oss-test/serviceAccounts/" + account.getEmail());
      executeWithRetries(request);
    } catch (Throwable e) {
      log.error("Failed to delete old test service account: {}", account.getEmail(), e);
    }
  }
}
Example #2
Source File: GCPServiceAccount.java    From policyscanner with Apache License 2.0 5 votes vote down vote up 
/**
 * Return the service accounts belonging to a project.
 * @param project The project ID of the project whose service accounts are to be listed.
 * @return A list of GCPServiceAccount objects representing the service accounts to be listed.
 * @throws IOException Thrown if there's an error reading from the IAM service account API.
 * @throws GeneralSecurityException Thrown if there's a security error
 * accessing the IAM service account API.
 */
public static List<GCPServiceAccount> getServiceAccounts(String project)
    throws IOException, GeneralSecurityException {
  ListServiceAccountsResponse response = getServiceAccountsApiStub()
      .list("projects/" + project)
      .execute();
  List<GCPServiceAccount> accounts = new ArrayList<>(response.getAccounts().size());
  for (ServiceAccount account : response.getAccounts()) {
    accounts.add(new GCPServiceAccount(account.getUniqueId(), account.getProjectId()));
  }
  return accounts;
}
Example #3
Source File: ServiceAccountUsageAuthorizerTest.java    From styx with Apache License 2.0 5 votes vote down vote up 
@Before
public void setUp() throws IOException {
  MockitoAnnotations.initMocks(this);
  projectBinding.setRole(SERVICE_ACCOUNT_USER_ROLE);
  projectBinding.setMembers(new ArrayList<>());
  projectBinding.getMembers().add("user:[email protected]");
  projectBinding.getMembers().add("group:" + PROJECT_ADMINS_GROUP_EMAIL);
  final com.google.api.services.cloudresourcemanager.model.Policy projectPolicy =
      new com.google.api.services.cloudresourcemanager.model.Policy();
  projectPolicy.setBindings(new ArrayList<>());
  projectPolicy.getBindings().add(projectBinding);
  saBinding.setRole(SERVICE_ACCOUNT_USER_ROLE);
  saBinding.setMembers(new ArrayList<>());
  saBinding.getMembers().add("user:[email protected]");
  saBinding.getMembers().add("group:" + SERVICE_ACCOUNT_ADMINS_GROUP_EMAIL);
  final com.google.api.services.iam.v1.model.Policy saPolicy =
      new com.google.api.services.iam.v1.model.Policy();
  saPolicy.setBindings(new ArrayList<>());
  saPolicy.getBindings().add(saBinding);
  when(authorizationPolicy.shouldEnforceAuthorization(any(), any(), any())).thenReturn(true);
  when(idToken.getPayload()).thenReturn(idTokenPayload);
  when(idTokenPayload.getEmail()).thenReturn(PRINCIPAL_EMAIL);
  when((Object) getIamPolicy.execute()).thenReturn(projectPolicy);
  when((Object) crm.projects().getIamPolicy(any(), eq(GET_IAM_POLICY_REQUEST))).thenReturn(getIamPolicy);
  when((Object) iam.projects().serviceAccounts().getIamPolicy(any()).execute()).thenReturn(saPolicy);
  doReturn(members).when(directory).members();
  doReturn(isNotMember).when(members).hasMember(any(), any());
  doReturn(new MembersHasMember().setIsMember(true)).when(isMember).execute();
  doReturn(new MembersHasMember().setIsMember(false)).when(isNotMember).execute();
  when((Object) iam.projects().serviceAccounts().get(any()).execute())
      .thenReturn(new ServiceAccount()
          .setEmail(MANAGED_SERVICE_ACCOUNT)
          .setProjectId(SERVICE_ACCOUNT_PROJECT));
  credential = ServiceAccountCredentials.newBuilder()
      .setPrivateKey(privateKey)
      .setClientEmail("[email protected]")
      .build();
  sut = new ServiceAccountUsageAuthorizer.Impl(iam, crm, directory, SERVICE_ACCOUNT_USER_ROLE, authorizationPolicy,
      WaitStrategies.noWait(), StopStrategies.stopAfterAttempt(RETRY_ATTEMPTS), MESSAGE, ADMINISTRATORS, BLACKLIST);
}
Example #4
Source File: EndToEndTestBase.java    From styx with Apache License 2.0 5 votes vote down vote up 
private void setUpServiceAccounts() throws IOException {
  // Create workflow service account
  iam = new Iam.Builder(
      Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(),
      GoogleCredential.getApplicationDefault().createScoped(IamScopes.all()))
      .setApplicationName(testNamespace)
      .build();
  workflowServiceAccount = iam.projects().serviceAccounts()
      .create("projects/styx-oss-test",
          new CreateServiceAccountRequest().setAccountId(workflowServiceAccountId)
              .setServiceAccount(new ServiceAccount().setDisplayName(testNamespace)))
      .execute();
  log.info("Created workflow test service account: {}", workflowServiceAccount.getEmail());

  // Set up workflow service account permissions
  var workflowServiceAccountFqn = "projects/styx-oss-test/serviceAccounts/" + workflowServiceAccount.getEmail();
  var workflowServiceAccountPolicy = iam.projects().serviceAccounts()
      .getIamPolicy(workflowServiceAccountFqn)
      .execute();
  if (workflowServiceAccountPolicy.getBindings() == null) {
    workflowServiceAccountPolicy.setBindings(new ArrayList<>());
  }
  workflowServiceAccountPolicy.getBindings()
      .add(new Binding().setRole("projects/styx-oss-test/roles/StyxWorkflowServiceAccountUser")
          .setMembers(List.of("serviceAccount:[email protected]")));
  // TODO: set up a styx service account instead of using styx-circle-ci@
  workflowServiceAccountPolicy.getBindings()
      .add(new Binding().setRole("roles/iam.serviceAccountKeyAdmin")
          .setMembers(List.of("serviceAccount:[email protected]")));
  iam.projects().serviceAccounts().setIamPolicy(workflowServiceAccountFqn,
      new SetIamPolicyRequest().setPolicy(workflowServiceAccountPolicy))
      .execute();
}
Example #5
Source File: ServiceAccountCleanupTest.java    From styx with Apache License 2.0 5 votes vote down vote up 
private List<ServiceAccount> listServiceAccounts(Iam iam) throws IOException {
  var accounts = new ArrayList<ServiceAccount>();
  String pageToken = null;
  do {
    var request = iam.projects().serviceAccounts().list("projects/styx-oss-test")
        .setPageToken(pageToken);
    var listResponse = executeWithRetries(request);
    accounts.addAll(listResponse.getAccounts());
    pageToken = listResponse.getNextPageToken();
  } while (pageToken != null);
  return accounts;
}