GCP Get Custom IAM role permission using Python

2
votes

I am using Python code to get the permissions present in custom IAM role. Even though, I pass the parameter as per the documentation https://cloud.google.com/iam/docs/creating-custom-roles#iam-custom-roles-get-metadata-python. It is throwing me the below error. role['name'] assumes the role id from the IAM role. I am not able to figure it out from the Google docs. Any help would be appreciated.

TypeError: Parameter "name" value "projects/my-new-project-273607/roles/CustomRole" does not match the pattern "^roles/[^/]+$"

roles = service.roles().list(parent='projects/' + 'my-new-project-273607').execute()['roles']
print('Name: ' + roles['name'])
role = service.roles().get(name=roles['name']).execute()
for permission in role['includedPermissions']:
    print(permission)
print('permissions:' + role['includedPermissions'])
2
pythongoogle-cloud-platformgoogle-iam
Do note post duplicate questions. stackoverflow.com/questions/61323593/… Delete one of them. - John Hanley
Yes, I did. Could you help me with the answer? @JohnHanley - poornachand sounderrajan
Create a minimum example and I will look at your code: stackoverflow.com/help/minimal-reproducible-example - John Hanley
@JohnHanleyI have included the snippet of my code and type error. This command " service.roles().get(name=role['name']).execute() " does not work according to the syntax provided in the documentation. - poornachand sounderrajan
Your example doesn't make sense. What is the value of role['name'] here? The example in the docs tells you to call service.roles().get(name=name).execute(). Have you tried doing that? - Dustin Ingram

2 Answers

1
votes

service.roles().get() is used to get built-in GCP roles (eg 'roles/logging.configWriter'). You are using service.roles().list() to get project roles.

If you want to get the details of these project roles you will need to use service.projects().roles().get(name=.....) instead.

See https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/get#path-parameters

0
votes

try this https://cloud.google.com/iam/docs/reference/rest/v1/projects.roles/list

projects.roles/list is a way to list custom roles.

"""
BEFORE RUNNING:
---------------
1. If not already done, enable the Identity and Access Management (IAM) API
   and check the quota for your project at
   https://console.developers.google.com/apis/api/iam
2. This sample uses Application Default Credentials for authentication.
   If not already done, install the gcloud CLI from
   https://cloud.google.com/sdk and run
   `gcloud beta auth application-default login`.
   For more information, see
   https://developers.google.com/identity/protocols/application-default-credentials
3. Install the Python client library for Google APIs by running
   `pip install --upgrade google-api-python-client`
"""
from pprint import pprint

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()

service = discovery.build('iam', 'v1', credentials=credentials)

# The resource name of the parent resource in one of the following formats:
# `` (empty string) -- this refers to curated roles.
# `organizations/{ORGANIZATION_ID}`
# `projects/{PROJECT_ID}`
parent = 'projects/my-project'  # TODO: Update placeholder value.

request = service.projects().roles().list(parent=parent)
while True:
    response = request.execute()

    for role in response.get('roles', []):
        # TODO: Change code below to process each `role` resource:
        pprint(role)

    request = service.projects().roles().list_next(previous_request=request, previous_response=response)
    if request is None:
        break