-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs(samples): add iam deny samples and test (#371)
* docs(samples): init add iam deny samples and test * docs(samples): added comments * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * docs(samples): add pom.xml and removed jupiter dependency * minor lro update and refactoring * added comments and minor refactoring * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * added region tags * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * updated acc to review comments * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
- Loading branch information
1 parent
f582a18
commit 79a0484
Showing
7 changed files
with
775 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!-- | ||
Copyright 2022 Google LLC | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
--> | ||
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xmlns="http://maven.apache.org/POM/4.0.0" | ||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
<artifactId>iam-deny-samples</artifactId> | ||
<modelVersion>4.0.0</modelVersion> | ||
<version>1.0-SNAPSHOT</version> | ||
|
||
<dependencies> | ||
|
||
<dependency> | ||
<groupId>com.google.apis</groupId> | ||
<artifactId>google-api-services-cloudresourcemanager</artifactId> | ||
<version>v3-rev20211107-1.32.1</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>com.google.auth</groupId> | ||
<artifactId>google-auth-library-oauth2-http</artifactId> | ||
<version>1.4.0</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>com.google.http-client</groupId> | ||
<artifactId>google-http-client-jackson2</artifactId> | ||
<version>1.41.8</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>com.google.apis</groupId> | ||
<artifactId>google-api-services-iam</artifactId> | ||
<version>v2beta-rev20220526-1.32.1</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>com.google.apis</groupId> | ||
<artifactId>google-api-services-iamcredentials</artifactId> | ||
<version>v1-rev20211203-1.32.1</version> | ||
</dependency> | ||
|
||
<!-- Test dependencies --> | ||
<dependency> | ||
<artifactId>truth</artifactId> | ||
<groupId>com.google.truth</groupId> | ||
<scope>test</scope> | ||
<version>1.1.3</version> | ||
</dependency> | ||
<dependency> | ||
<artifactId>junit</artifactId> | ||
<groupId>junit</groupId> | ||
<scope>test</scope> | ||
<version>4.13.2</version> | ||
</dependency> | ||
|
||
</dependencies> | ||
|
||
<dependencyManagement> | ||
<dependencies> | ||
<dependency> | ||
<artifactId>libraries-bom</artifactId> | ||
<groupId>com.google.cloud</groupId> | ||
<scope>import</scope> | ||
<type>pom</type> | ||
<version>25.0.0</version> | ||
</dependency> | ||
</dependencies> | ||
</dependencyManagement> | ||
|
||
<!-- | ||
The parent pom defines common style checks and testing strategies for our samples. | ||
Removing or replacing it should not affect the execution of the samples in anyway. | ||
--> | ||
<parent> | ||
<artifactId>shared-configuration</artifactId> | ||
<groupId>com.google.cloud.samples</groupId> | ||
<version>1.2.0</version> | ||
</parent> | ||
|
||
<properties> | ||
<maven.compiler.source>11</maven.compiler.source> | ||
<maven.compiler.target>11</maven.compiler.target> | ||
</properties> | ||
|
||
<groupId>gce-diregapic</groupId> | ||
|
||
</project> |
164 changes: 164 additions & 0 deletions
164
java-iam/samples/cloud-client/snippets/src/main/java/CreateDenyPolicy.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,164 @@ | ||
/* | ||
* Copyright 2022 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
// [START iam_create_deny_policy] | ||
|
||
import com.google.iam.v2beta.CreatePolicyRequest; | ||
import com.google.iam.v2beta.DenyRule; | ||
import com.google.iam.v2beta.PoliciesClient; | ||
import com.google.iam.v2beta.Policy; | ||
import com.google.iam.v2beta.PolicyRule; | ||
import com.google.longrunning.Operation; | ||
import com.google.type.Expr; | ||
import java.io.IOException; | ||
import java.net.URLEncoder; | ||
import java.nio.charset.StandardCharsets; | ||
import java.util.concurrent.ExecutionException; | ||
import java.util.concurrent.TimeUnit; | ||
import java.util.concurrent.TimeoutException; | ||
|
||
public class CreateDenyPolicy { | ||
|
||
public static void main(String[] args) | ||
throws IOException, ExecutionException, InterruptedException, TimeoutException { | ||
// TODO(developer): Replace these variables before running the sample. | ||
// ID or number of the Google Cloud project you want to use. | ||
String projectId = "sitalakshmi-deny"; | ||
|
||
// Specify the id of the Deny policy you want to create. | ||
String policyId = "deny-policy-id-1"; | ||
|
||
createDenyPolicy(projectId, policyId); | ||
} | ||
|
||
// Create a deny policy. | ||
// You can add deny policies to organizations, folders, and projects. | ||
// Each of these resources can have up to 5 deny policies. | ||
// | ||
// Deny policies contain deny rules, which specify the following: | ||
// 1. The permissions to deny and/or exempt. | ||
// 2. The principals that are denied, or exempted from denial. | ||
// 3. An optional condition on when to enforce the deny rules. | ||
public static void createDenyPolicy(String projectId, String policyId) | ||
throws IOException, ExecutionException, InterruptedException, TimeoutException { | ||
|
||
try (PoliciesClient policiesClient = PoliciesClient.create()) { | ||
// Each deny policy is attached to an organization, folder, or project. | ||
// To work with deny policies, specify the attachment point. | ||
// | ||
// Its format can be one of the following: | ||
// 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID | ||
// 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID | ||
// 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID | ||
// | ||
// The attachment point is identified by its URL-encoded resource name. | ||
String urlEncodedResource = | ||
URLEncoder.encode( | ||
"cloudresourcemanager.googleapis.com/projects/", StandardCharsets.UTF_8); | ||
String attachmentPoint = String.format("%s%s", urlEncodedResource, projectId); | ||
|
||
// Construct the full path of the resource to which the policy is attached. | ||
// Its format is: "policies/{attachmentPoint}/denypolicies/{policyId}" | ||
String policyParent = String.format("policies/%s/denypolicies", attachmentPoint); | ||
|
||
DenyRule denyRule = | ||
DenyRule.newBuilder() | ||
// Add one or more principals who should be denied the permissions specified in this | ||
// rule. | ||
// For more information on allowed values, see: | ||
// https://cloud.google.com/iam/docs/principal-identifiers | ||
.addDeniedPrincipals("principalSet://goog/public:all") | ||
|
||
// Optionally, set the principals who should be exempted from the | ||
// list of denied principals. For example, if you want to deny certain permissions | ||
// to a group but exempt a few principals, then add those here. | ||
// .addExceptionPrincipals( | ||
// "principalSet://goog/group/[email protected]") | ||
|
||
// Set the permissions to deny. | ||
// The permission value is of the format: service_fqdn/resource.action | ||
// For the list of supported permissions, see: | ||
// https://cloud.google.com/iam/help/deny/supported-permissions | ||
.addDeniedPermissions("cloudresourcemanager.googleapis.com/projects.delete") | ||
|
||
// Optionally, add the permissions to be exempted from this rule. | ||
// Meaning, the deny rule will not be applicable to these permissions. | ||
// .addExceptionPermissions("cloudresourcemanager.googleapis.com/projects.create") | ||
|
||
// Set the condition which will enforce the deny rule. If this condition is true, | ||
// the deny rule will be applicable. Else, the rule will not be enforced. | ||
.setDenialCondition( | ||
Expr.newBuilder() | ||
// The expression uses Common Expression Language syntax (CEL). | ||
// Here we block access based on tags. | ||
// | ||
// A tag is a key-value pair that can be attached to an organization, folder, | ||
// or project. You can use deny policies to deny permissions based on tags | ||
// without adding an IAM Condition to every role grant. | ||
// For example, imagine that you tag all of your projects as dev, test, or | ||
// prod. You want only members of [email protected] to be able to | ||
// perform operations on projects that are tagged prod. | ||
// To solve this problem, you create a deny rule that denies the | ||
// cloudresourcemanager.googleapis.com/projects.delete permission to everyone | ||
// except [email protected] for resources that are tagged test. | ||
.setExpression("!resource.matchTag('12345678/env', 'test')") | ||
.setTitle("Only for test projects") | ||
.build()) | ||
.build(); | ||
|
||
// Add the deny rule and a description for it. | ||
Policy policy = | ||
Policy.newBuilder() | ||
// Set the deny rule. | ||
.addRules( | ||
PolicyRule.newBuilder() | ||
// Set a description for the rule. | ||
.setDescription( | ||
"block all principals from deleting projects, unless the principal is a member of [email protected] and the project being deleted has a tag with the value test") | ||
.setDenyRule(denyRule) | ||
.build()) | ||
.build(); | ||
|
||
// Set the policy resource path, policy rules and a unique ID for the policy. | ||
CreatePolicyRequest createPolicyRequest = | ||
CreatePolicyRequest.newBuilder() | ||
.setParent(policyParent) | ||
.setPolicy(policy) | ||
.setPolicyId(policyId) | ||
.build(); | ||
|
||
// Build the create policy request. | ||
Operation operation = | ||
policiesClient | ||
.createPolicyCallable() | ||
.futureCall(createPolicyRequest) | ||
.get(3, TimeUnit.MINUTES); | ||
|
||
// Wait for the operation to complete. | ||
if (!operation.getDone() || operation.hasError()) { | ||
System.out.println("Error in creating the policy " + operation.getError()); | ||
return; | ||
} | ||
|
||
// Retrieve the policy name. | ||
Policy response = policiesClient.getPolicy(String.format("%s/%s", policyParent, policyId)); | ||
String policyName = response.getName(); | ||
System.out.println( | ||
"Created the deny policy: " + policyName.substring(policyName.lastIndexOf("/") + 1)); | ||
} | ||
} | ||
} | ||
// [END iam_create_deny_policy] |
87 changes: 87 additions & 0 deletions
87
java-iam/samples/cloud-client/snippets/src/main/java/DeleteDenyPolicy.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
/* | ||
* Copyright 2022 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
// [START iam_delete_deny_policy] | ||
|
||
import com.google.iam.v2beta.DeletePolicyRequest; | ||
import com.google.iam.v2beta.PoliciesClient; | ||
import com.google.longrunning.Operation; | ||
import java.io.IOException; | ||
import java.net.URLEncoder; | ||
import java.nio.charset.StandardCharsets; | ||
import java.util.concurrent.ExecutionException; | ||
import java.util.concurrent.TimeUnit; | ||
import java.util.concurrent.TimeoutException; | ||
|
||
public class DeleteDenyPolicy { | ||
|
||
public static void main(String[] args) | ||
throws IOException, InterruptedException, ExecutionException, TimeoutException { | ||
// TODO(developer): Replace these variables before running the sample. | ||
|
||
// ID or number of the Google Cloud project you want to use. | ||
String projectId = "your-google-cloud-project-id"; | ||
|
||
// Specify the ID of the deny policy you want to retrieve. | ||
String policyId = "deny-policy-id"; | ||
|
||
deleteDenyPolicy(projectId, policyId); | ||
} | ||
|
||
// Delete the policy if you no longer want to enforce the rules in a deny policy. | ||
public static void deleteDenyPolicy(String projectId, String policyId) | ||
throws IOException, InterruptedException, ExecutionException, TimeoutException { | ||
try (PoliciesClient policiesClient = PoliciesClient.create()) { | ||
|
||
// Each deny policy is attached to an organization, folder, or project. | ||
// To work with deny policies, specify the attachment point. | ||
// | ||
// Its format can be one of the following: | ||
// 1. cloudresourcemanager.googleapis.com/organizations/ORG_ID | ||
// 2. cloudresourcemanager.googleapis.com/folders/FOLDER_ID | ||
// 3. cloudresourcemanager.googleapis.com/projects/PROJECT_ID | ||
// | ||
// The attachment point is identified by its URL-encoded resource name. | ||
String urlEncodedResource = | ||
URLEncoder.encode( | ||
"cloudresourcemanager.googleapis.com/projects/", StandardCharsets.UTF_8); | ||
String attachmentPoint = String.format("%s%s", urlEncodedResource, projectId); | ||
|
||
// Construct the full path of the resource to which the policy is attached. | ||
// Its format is: "policies/{attachmentPoint}/denypolicies/{policyId}" | ||
String policyParent = String.format("policies/%s/denypolicies/%s", attachmentPoint, policyId); | ||
|
||
// Create the DeletePolicy request. | ||
DeletePolicyRequest deletePolicyRequest = | ||
DeletePolicyRequest.newBuilder().setName(policyParent).build(); | ||
|
||
// Delete the policy and wait for the operation to complete. | ||
Operation operation = | ||
policiesClient | ||
.deletePolicyCallable() | ||
.futureCall(deletePolicyRequest) | ||
.get(3, TimeUnit.MINUTES); | ||
|
||
if (!operation.getDone() || operation.hasError()) { | ||
System.out.println("Error in deleting the policy " + operation.getError()); | ||
return; | ||
} | ||
|
||
System.out.println("Deleted the deny policy: " + policyId); | ||
} | ||
} | ||
} | ||
// [END iam_delete_deny_policy] |
Oops, something went wrong.