Remove IAM API from DWD

2026-06-28 09:51:36 +00:00 · 2025-06-03 18:13:11 -07:00
parent 2f1a7eb347
commit f06944a1fa
4 changed files with 42 additions and 20 deletions
--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -1,11 +1,10 @@
 7.08.03

-Fixed bug in `gam <UserTypeEntity> check|update serviceaccount` where the first use of
-the command after project creation enabled the following scopes that should be off by default.
-```
-Identity and Access Management API
-Youtube API - read only
-```
+Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform`
+from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope
+is enabled promptig you to update your service account authorization so that the scope can be removed.
+
+GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner.

 7.08.02

--- a/src/gam/init.py
+++ b/src/gam/init.py
@@ -10632,6 +10632,7 @@ def getOAuthClientIDAndSecret():
    invalidClientSecretsJsonExit(str(e))

 def getScopesFromUser(scopesList, clientAccess, currentScopes=None):
+  forceOffScopes = []
  OAUTH2_CMDS = ['s', 'u', 'e', 'c']
  oauth2_menu = ''
  numScopes = len(scopesList)
@@ -10682,6 +10683,9 @@ Continue to authorization by entering a 'c'
              break
        i += 1
    else:
+      for api in currentScopes:
+        if api in API.FORCE_OFF_SA_SCOPES:
+          forceOffScopes.extend(currentScopes[api])
      i = 0
      for a_scope in scopesList:
        selectedScopes[i] = ' '
@@ -10750,12 +10754,12 @@ Continue to authorization by entering a 'c'
            for i in range(numScopes):
              selectedScopes[i] = ' '
          elif selection == 'e':
-            return None
+            return (None, None)
          break
        sys.stdout.write(f'{ERROR_PREFIX}Invalid input "{choice}"\n')
    if selection == 'c':
      break
-  return selectedScopes
+  return (selectedScopes, forceOffScopes)

 def _localhost_to_ip():
  '''returns IPv4 or IPv6 loopback address which localhost resolves to.
@@ -11102,7 +11106,7 @@ def doOAuthRequest(currentScopes, login_hint, verifyScopes=False):
  client_id, client_secret = getOAuthClientIDAndSecret()
  scopesList = API.getClientScopesList(GC.Values[GC.TODRIVE_CLIENTACCESS])
  if not currentScopes or verifyScopes:
-    selectedScopes = getScopesFromUser(scopesList, True, currentScopes)
+    selectedScopes, _ = getScopesFromUser(scopesList, True, currentScopes)
    if selectedScopes is None:
      return False
    scopes = set(API.REQUIRED_SCOPES)
@@ -12246,6 +12250,7 @@ def checkServiceAccount(users):
  checkScopesSet = set()
  saScopes = {}
  useColor = False
+  forceOffScopes = []
  while Cmd.ArgumentsRemaining():
    myarg = getArgument()
    if myarg in {'scope', 'scopes'}:
@@ -12271,12 +12276,16 @@ def checkServiceAccount(users):
    testWarn = 'WARN'
  if Act.Get() == Act.CHECK:
    if not checkScopesSet:
-      for scope in iter(GM.Globals[GM.SVCACCT_SCOPES].values()):
-        checkScopesSet.update(scope)
+      currentScopes = GM.Globals[GM.SVCACCT_SCOPES]
+      for api in currentScopes:
+        if api in API.FORCE_OFF_SA_SCOPES:
+          forceOffScopes.extend(currentScopes[api])
+        else:
+          checkScopesSet.update(currentScopes[api])
  else:
    if not checkScopesSet:
      scopesList = API.getSvcAcctScopesList(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], True)
-      selectedScopes = getScopesFromUser(scopesList, False, GM.Globals[GM.SVCACCT_SCOPES] if GM.Globals[GM.SVCACCT_SCOPES_DEFINED] else None)
+      selectedScopes, forceOffScopes = getScopesFromUser(scopesList, False, GM.Globals[GM.SVCACCT_SCOPES] if GM.Globals[GM.SVCACCT_SCOPES_DEFINED] else None)
      if selectedScopes is None:
        return False
      i = 0
@@ -12399,6 +12408,17 @@ def checkServiceAccount(users):
        scopeStatus = testFail
        allScopesPass = False
      printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
+    if forceOffScopes:
+      allScopesPass = False
+      if useColor:
+        scopeStatus = createRedText('DISABLE')
+      else:
+        scopeStatus = 'DISABLE'
+      jcount = len(forceOffScopes)
+      j = 0
+      for scope in forceOffScopes:
+        j +=1
+        printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
    Ind.Decrement()
    service_account = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_id']
    if allScopesPass:
--- a/src/gam/gamlib/glapi.py
+++ b/src/gam/gamlib/glapi.py
@@ -118,6 +118,7 @@ JWT_APIS = {
  ACCESSCONTEXTMANAGER: [CLOUD_PLATFORM_SCOPE],
  CHAT: ['https://www.googleapis.com/auth/chat.bot'],
  CLOUDRESOURCEMANAGER: [CLOUD_PLATFORM_SCOPE],
+  IAM: [IAM_SCOPE],
  ORGPOLICY: [CLOUD_PLATFORM_SCOPE],
  }
 #
@@ -131,6 +132,8 @@ APIS_NEEDING_ACCESS_TOKEN = {
  CBCM: ['https://www.googleapis.com/auth/admin.directory.device.chromebrowsers']
  }
 #
+FORCE_OFF_SA_SCOPES = {IAM}
+#
 REFRESH_PERM_ERRORS = [
  'invalid_grant: reauth related error (rapt_required)', # no way to reauth today
  'invalid_grant: Token has been expired or revoked',
@@ -645,11 +648,11 @@ _SVCACCT_SCOPES = [
   'api': GMAIL,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/gmail.settings.sharing'},
-  {'name': 'Identity and Access Management API',
-   'api': IAM,
-   'offByDefault': True,
-   'subscopes': [],
-   'scope': IAM_SCOPE},
+#  {'name': 'Identity and Access Management API',
+#   'api': IAM,
+#   'offByDefault': True,
+#   'subscopes': [],
+#   'scope': IAM_SCOPE},
  {'name': 'Keep API',
   'api': KEEP,
   'subscopes': READONLY,
--- a/src/gam/gamlib/glmsgs.py
+++ b/src/gam/gamlib/glmsgs.py
@@ -145,7 +145,7 @@ SCOPE_AUTHORIZATION_PASSED = '''All scopes PASSED!
 Service Account Client name: {0} is fully authorized.
 '''
 SCOPE_AUTHORIZATION_UPDATE_PASSED = '''All scopes PASSED!
-To authorize them (in case some scopes were unselected), please go to the following link in your browser:
+To update authorization (in case some scopes were unselected), please go to the following link in your browser:
 {0}
    {1}

@@ -156,8 +156,8 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 '''
-SCOPE_AUTHORIZATION_FAILED = '''Some scopes FAILED!
-To authorize them, please go to the following link in your browser:
+SCOPE_AUTHORIZATION_FAILED = '''Some scopes FAILED or should be DISABLED!
+To update authorization, please go to the following link in your browser:
 {0}
    {1}