Improve error instructions for CAA

This commit is contained in:
Jay Lee
2022-04-07 12:52:21 +00:00
parent 41a10932cb
commit e49eed2a24
2 changed files with 19 additions and 19 deletions

View File

@@ -13,7 +13,15 @@ from gam import utils
from gam.gapi import errors as gapi_errors from gam.gapi import errors as gapi_errors
from gam.gapi import cloudresourcemanager as gapi_crm from gam.gapi import cloudresourcemanager as gapi_crm
THROW_REASONS = [gapi_errors.ErrorReason.FOUR_O_THREE] THROW_REASONS = [gapi_errors.ErrorReason.FOUR_O_THREE]
def _gen_role_error(caa):
sa_email = caa._http.credentials.signer_email
role_error = f'Please grant service account {sa_email} the Access Context Manager Editor role to your GCP organization.'
controlflow.system_error_exit(2, role_error)
def build(): def build():
return gam.buildGAPIServiceObject('accesscontextmanager', return gam.buildGAPIServiceObject('accesscontextmanager',
act_as=None) act_as=None)
@@ -23,6 +31,8 @@ def get_access_policy(caa=None):
if not caa: if not caa:
build() build()
parent = gapi_crm.get_org_id() parent = gapi_crm.get_org_id()
if not parent:
_gen_role_error(caa)
try: try:
aps = gapi.get_all_pages(caa.accessPolicies(), aps = gapi.get_all_pages(caa.accessPolicies(),
'list', 'list',
@@ -31,7 +41,7 @@ def get_access_policy(caa=None):
parent=parent, parent=parent,
fields='accessPolicies(name,title)') fields='accessPolicies(name,title)')
except googleapiclient.errors.HttpError: except googleapiclient.errors.HttpError:
controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Reader or Editor role for your organization.') _gen_role_error(caa)
if not aps: if not aps:
controlflow.system_error_exit(2, 'You don\'t seem to have any access policies. That is odd.') controlflow.system_error_exit(2, 'You don\'t seem to have any access policies. That is odd.')
elif len(aps) == 1: elif len(aps) == 1:
@@ -53,7 +63,7 @@ def print_access_levels():
parent=ap_name, parent=ap_name,
accessLevelFormat='CEL', fields='*') accessLevelFormat='CEL', fields='*')
except googleapiclient.errors.HttpError: except googleapiclient.errors.HttpError:
controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Reader or Editor role for your organization.') _gen_role_error(caa)
for level in levels: for level in levels:
display.print_json(level) display.print_json(level)
print() print()
@@ -197,8 +207,7 @@ def create_access_level():
parent=ap_name, parent=ap_name,
body=body) body=body)
except googleapiclient.errors.HttpError: except googleapiclient.errors.HttpError:
controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Editor role for your organization.') _gen_role_error(caa)
def update_access_level(): def update_access_level():
caa = build() caa = build()
@@ -229,8 +238,7 @@ def update_access_level():
updateMask=updateMask, updateMask=updateMask,
body=body) body=body)
except googleapiclient.errors.HttpError: except googleapiclient.errors.HttpError:
controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Editor role for your organization.') _gen_role_error(caa)
def delete_access_level(): def delete_access_level():
caa = build() caa = build()
@@ -244,5 +252,4 @@ def delete_access_level():
'delete', 'delete',
name=name) name=name)
except googleapiclient.errors.HttpError: except googleapiclient.errors.HttpError:
controlflow.system_error_exit(2, 'Your service account needs the Access Context Manager Editor role for your organization.') _gen_role_error(caa)

View File

@@ -1,16 +1,7 @@
import string
import sys
import googleapiclient.errors
import gam import gam
from gam.var import * from gam.var import GC_Values, GC_CUSTOMER_ID
from gam import controlflow from gam import controlflow
from gam import display
from gam import fileutils
from gam import gapi from gam import gapi
from gam import utils
from gam.gapi import errors as gapi_errors
from gam.gapi.directory import customer as gapi_directory_customer from gam.gapi.directory import customer as gapi_directory_customer
def build(): def build():
@@ -27,5 +18,7 @@ def get_org_id():
'organizations', 'organizations',
query=query) query=query)
if len(orgs) < 1: if len(orgs) < 1:
controlflow.system_error_exit(2, 'Your service account needs permission to read org id') # return nothing and let calling API deal with it
# since caller knows what GCP role would serve best
return
return orgs[0]['name'] return orgs[0]['name']