package iam import ( "context" "google.golang.org/api/googleapi" "google.golang.org/api/iam/v1" ) // NewServiceAccount returns a new iam serviceaccount. func NewServiceAccount(displayName, description string) *iam.ServiceAccount { return &iam.ServiceAccount{ DisplayName: displayName, Description: description, } } // NewServiceAccountRequest returns a new createserviceaccount request. func NewServiceAccountRequest(accountID string, serviceAccount *iam.ServiceAccount) *iam.CreateServiceAccountRequest { return &iam.CreateServiceAccountRequest{ AccountId: accountID, ServiceAccount: serviceAccount, } } // CreateServiceAccount projectID in the form of projects/ID. func (i *IAMService) CreateServiceAccount(ctx context.Context, projectID string, serviceAccount *iam.CreateServiceAccountRequest) (*iam.ServiceAccount, error) { return i.Projects.ServiceAccounts.Create(projectID, serviceAccount).Context(ctx).Do() } // name: The resource name of the service account in the following // // format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}` func (i *IAMService) DeleteServiceAccount(ctx context.Context, name string) error { _, err := i.Projects.ServiceAccounts.Delete(name).Context(ctx).Do() return err } // GetServiceAccount gets a service account with the specified name. // where name is in the form projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} func (i *IAMService) GetServiceAccount(ctx context.Context, name string) (*iam.ServiceAccount, error) { return i.Projects.ServiceAccounts.Get(name).Context(ctx).Do() } // NewServiceAccountKeyRequest creates a new iam service account key request. func NewServiceAccountKeyRequest() *iam.CreateServiceAccountKeyRequest { return &iam.CreateServiceAccountKeyRequest{} } // CreateServiceAccountKey calls the iam endpoint and returns a sa key object. func (i *IAMService) CreateServiceAccountKey(ctx context.Context, name string, saKeyRequest *iam.CreateServiceAccountKeyRequest, opts ...googleapi.CallOption) (*iam.ServiceAccountKey, error) { return i.Projects.ServiceAccounts.Keys.Create(name, saKeyRequest).Context(ctx).Do(opts...) } // DeleteExcessServiceAccountKeys deletes keys for a Service account if it's reached the limit of keys created for the // service account. Will only be used when bootstrap is called repeatedly. func (i *IAMService) DeleteExcessServiceAccountKeys(ctx context.Context, name string, opts ...googleapi.CallOption) error { accs, err := i.Projects.ServiceAccounts.Keys.List(name).Context(ctx).Do(opts...) if err != nil { return err } if len(accs.Keys) < 10 { return nil } for _, acc := range accs.Keys { if acc.KeyType == "SYSTEM_MANAGED" { continue } _, err = i.Projects.ServiceAccounts.Keys.Delete(acc.Name).Context(ctx).Do(opts...) if err != nil { return err } } return nil } // GetServiceAccountIamPolicy calls the iam endpoint to fetch the iam policy of a service account. func (i *IAMService) GetServiceAccountIamPolicy(ctx context.Context, resource string) (*iam.Policy, error) { return i.Projects.ServiceAccounts.GetIamPolicy(resource).Context(ctx).Do() } // SetServiceAccountIamPolicy calls the iam endpoint to set the iam policy of a service account. func (i *IAMService) SetServiceAccountIamPolicy(ctx context.Context, resource string, policyRequest *iam.SetIamPolicyRequest) (*iam.Policy, error) { return i.Projects.ServiceAccounts.SetIamPolicy(resource, policyRequest).Context(ctx).Do() }