1. 技术文章
  2. Google Cloud Resource Manager API - grant owner role to a user

Google Cloud Resource Manager API - grant owner role to a user

天大地大妈咪最大 提交于 2019-12-12 16:32:44

问题


I am using Google Cloud Resource Manager API with Service Account authorization in Google Apps Script. In the program I am interested in updating the roles of a Developer Console Project.

Specifically, I am trying to change Developer Console project's owner to editor and another user as owner. This, I believe in terms of HTTP Request payload would look like:

// before (taken from response of getIamPolicy REST call)
{
    "bindings": [{
            "role": "roles/owner",
            "members": ["user:abc@my-google-domain.com"]
     }],
    "version": "0",
    "etag": "acbqwcada="
}

// after (modified policy) used in setIamPolicy REST call
{
    "bindings": [{
            "role": "roles/owner",
            "members": ["user:def@my-google-domain.com"]
     },
     {
            "role": "roles/editor",
            "members": ["user:abc@my-google-domain.com"]
     }],
    "version": "0",
    "etag": "acbqwcada="
}

Few things I observed:

  • When changing current owner (user email) to editor and adding new owner (user email) the API call is returning SOLO_MUST_INVITE_OWNERS error. Here, I am impersonating service account as initial owner of project with all necessary domain wide access

  • However, when I do the same call in Google API explorer with same payload, its working fine!

  • Google Cloud and Identity Management documentation seems confusing. It says in one point "Cloud Resource Manager IAM methods only support granting the owner role to user and serviceAccount" while in another point "A user cannot be granted owner access using setIamPolicy(). The user must be granted the owner role using the Cloud Platform Console and he must explicitly accept the invitation." -- I am wondering is there any other way to set policies other than setIamPolicy()?


回答1:


The Cloud Resource Manager API does not support adding an owner via setIamPolicy, see the documentation on setIamPolicy:

To be added as an owner, a user must be invited via Cloud Platform console and must accept the invitation.

After you've invited def@my-google-domain.com and they've accepted (they'll appear as an owner of the project in the Cloud Platform console, and also as a member of the owner binding returned by getIamPolicy) you can make the setIamPolicy call to make abc@my-google-domain.com an editor.



来源:https://stackoverflow.com/questions/35298828/google-cloud-resource-manager-api-grant-owner-role-to-a-user

标签
google-api
google-apps
google-cloud-platform
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!