>ldZddlmZddlmZddlmZddlmZddlmZGddZGd d Z y ) z/Utilities for setting up GKE workload identity.)absolute_import)division)unicode_literals)compute_helpers) iam_helpersc eZdZdZedZy)GkeWorkloadIdentityzSets up GKE Workload Identity.cdj|}|Dcgc]}dj|||}}tj||dycc}w)zFAllow the k8s_service_accounts to use gsa_email via Workload Identity.z&projects/-/serviceAccounts/{gsa_email}) gsa_emailz>serviceAccount:{project_id}.svc.id.goog[{k8s_namespace}/{ksa}]) project_id k8s_namespaceksazroles/iam.workloadIdentityUserN)formatrAddIamPolicyBindings)r r r k8s_service_accountsresourcermemberss @lib/googlecloudsdk/command_lib/dataproc/gke_workload_identity.pyUpdateGsaIamPolicyz&GkeWorkloadIdentity.UpdateGsaIamPolicysw8>>?H ((C IOO!C P I'  $$Xw%EG sA N)__name__ __module__ __qualname____doc__ staticmethodrrr r s& G Grr c eZdZdZedZy)&DefaultDataprocDataPlaneServiceAccountzHFind the default Google Service Account used by the Dataproc data plane.c,tj|S)N)rGetDefaultServiceAccount)r s rGetz*DefaultDataprocDataPlaneServiceAccount.Get.s  3 3J ??rN)rrrrrr!rrrrr+sP@@rrN) r __future__rrrgooglecloudsdk.api_lib.dataprocrrr rrrrr$s16&';7GG$@@r