dZddlZddlmZddlmZddlmZddl m Z ddl m Z ddlmZdd lmZd Zd Zd Zd deddgZdZdZddZdZ ddZ ddZdZy)zService account utils.N) exceptions)cloudbuild_util) projects_api)run_util)util)log) console_iozroles/cloudbuild.builds.builderz roles/editorzroles/run.invokerzroles/run.adminzroles/run.developerzroles/run.servicesInvokerzroles/run.sourceDeveloperzrun.routes.invokez6{project_number}-compute@developer.gserviceaccount.comctj}d|d|d}|jj|jj |j S)z5Gets the default build service account for a project.z projects/z /locations/z/defaultServiceAccount)name)rGetClientInstanceprojects_locationsGetDefaultServiceAccountMESSAGES_MODULE:CloudbuildProjectsLocationsGetDefaultServiceAccountRequestserviceAccountEmail) project_idregionclientr s @lib/googlecloudsdk/command_lib/functions/service_account_util.pyGetDefaultBuildServiceAccountr)sc  , , .& ZL F83I J$  " " ; ; WWX  cVtjd|}|r|jdSy)zEExtracts the service account email from the service account resource.z/serviceAccounts/([^/]+)$N)researchgroup)service_accountmatchs r_ExtractServiceAccountEmailr4s' ))0/ B% ;;q> rc b|tt||}tj|}|tj |k(r t jtj|}d|}|jDcgc]}||jvr |j }}t|vrHt"|vr?t%j&r*t%j(ddd|dtd |d |d yyyyy#tj$rtjd||tYywxYwcc}w) aKUtil to validate the default build service account permission. Prompt a warning to users if cloudbuild.builds.builder is missing. Args: project_id: id of project region: region to deploy the function build_service_account: user provided build service account. It will be None, if user doesn't provide it. Nproject_numberzYour account does not have permission to check or bind IAM policies to project [%s]. If the deployment fails, ensure [%s] has the role [%s] before retrying.serviceAccount:FTz$ The default build service account [] is missing the [z] role. This may cause issues when deploying a function. You could fix it by running the command: gcloud projects add-iam-policy-binding z \ --member=serviceAccount:z-compute@developer.gserviceaccount.com \ --role=roles/cloudbuild.builds.builder For more information, please refer to: https://cloud.google.com/functions/docs/troubleshooting#build-service-account. Would you like to continue?default cancel_on_no prompt_string)rr project_utilGetProjectNumber_GCE_SAformatr GetIamPolicy ParseProjectapitools_exceptionsHttpForbiddenErrorrwarning _BUILDER_ROLEbindingsmembersrole _EDITOR_ROLEr CanPromptPromptContinue)rrbuild_service_accountr" iam_policyaccount_stringbindingcontained_roless r2ValidateDefaultBuildServiceAccountAndPromptWarningr>=si"7%j&9 00<.gnnNnKK ,,  # #J /j ''<&=>N"***G W__ ,  * _,  /  "56K5LM""/1**8)9:- -  # 0 -3L  1 1   kk4       s(C7!D,7/D)(D)ctj|}|r|ntj|} t j tj |}t||r>> 8 **!!*-Jj*AB((  34 5   jj34C  / /KK A  sA/B""/CCcd}d|}|jD]C}||jvr|jtvry|jj drBd}Ed|dt d}|rd|dt d t d }tjxrtjdd|d z }|stj||S) z1Prompts user to bind the invoker role if missing.Fr#zroles/TzYour trigger service account [r$zI] role. This will cause authentication errors when running the function. z] likely lacks the [z] permission, which will cause authentication errors. Since this service account uses a custom role, please verify that the custom role includes this permission. If not, you'll need to either add this permission to the custom role, or grant the [z(] role to the service account directly. zU Do you want to add the invoker binding to the IAM policy of your Cloud Run function?r%) r3r4r5._PREDEFINE_ROLES_WITH_ROUTE_INVOKER_PERMISSION startswithrF_ROUTE_INVOKER_PERMISSIONr r7r8rr1)r:rcustom_role_detectedr;r<r( should_binds rrBrBs$_$56.$$gW__,||EE  \\ $ $X ."% '&78 !"--  ((9:012+,=*=>'  '$$&:+D+D! "",+ KK  r)global)N)F)__doc__rapitools.base.pyrr/!googlecloudsdk.api_lib.cloudbuildr+googlecloudsdk.api_lib.cloudresourcemanagerr$googlecloudsdk.command_lib.functionsr#googlecloudsdk.command_lib.projectsrr)googlecloudsdk.corergooglecloudsdk.core.consoler r2r6rFrKrMr+rrr>rIrBrrrZs| >=D9D#21  ' 2.0 B/3DV  +\)r