dZddlmZddlmZddlmZddlmZddlmZddlm Z ddl m Z d Z d Z d Zd Zdd ZdZdZdZy)zCommon flags for iam commands.)absolute_import)division)unicode_literals) arg_parsers)base) cred_config) common_argscPtjdddj|S)NroleROLE_IDzID of the role to {0}. Curated roles example: roles/viewer. Custom roles example: CustomRole. For custom roles, you must also specify the `--organization` or `--project` flag.metavarhelprArgumentformatverbs +lib/googlecloudsdk/command_lib/iam/flags.py GetRoleFlagrs)   $VD\ ++cPtjdddj|S)Nr r z]ID of the custom role to {0}. You must also specify the `--organization` or `--project` flag.r rrs rGetCustomRoleFlagr's'   fTl  rcNtjddj|S)Nz--organizationz)Organization of the role you want to {0}.rrrs r GetOrgFlagr0s&  6 = =d C EErcPdj|}tj|S)Nz$Project of the role you want to {0}.)help_text_to_prepend)rr ProjectArgument)r help_texts rGetProjectFlagr!6s#4;;DA)  $ $) DDrc|j|}t|j|t|j|y)N)required)add_mutually_exclusive_groupr AddToParserr!)parserrr# parent_groups rAddParentFlagsr(;s;44h4G, T|,""<0raThe full resource name or URI to {verb}. See ["Resource Names"](https://cloud.google.com/apis/design/resource_names) for details. To get a URI from most `list` commands in `gcloud`, pass the `--uri` flag. For example: ``` $ gcloud compute instances list --project prj --uri \ https://compute.googleapis.com/compute/v1/projects/prj/zones/us-east1-c/instances/i1 \ https://compute.googleapis.com/compute/v1/projects/prj/zones/us-east1-d/instances/i2 ``` cXtjdtj|S)Nresourcerr)rr_RESOURCE_NAME_HELPrrs rGetResourceNameFlagr,Qs" z(;(B(B(B(M NNrc |jddd|jddd|jd }|jd d d|jd tjd ddd d|jdtjdd|jdd |jdd |jd }|jdtjddddd |jd!d" |t j jk(r,|jd#tjdd$d%dd&y'y')(z_Adds parser arguments that are common to both workload identity federation and workforce pools.z --output-filez>Location to store the generated credential configuration file.T)rr#z--universe-domainzUniverse domain.)rhiddenz&Service account impersonation options.rz--service-accountz,Email of the service account to impersonate.z(--service-account-token-lifetime-secondss60043200) default_unit lower_bound upper_bound parsed_unitaHLifetime duration of the service account access token in seconds. Defaults to one hour if not specified. If a lifetime greater than one hour is required, the service account must be added as an allowed value in an Organization Policy that enforces the `constraints/iam.allowServiceAccountCredentialLifetimeExtension` constraint.)typerz--credential-source-headersz key=valuez7Headers to use when querying the credential-source-url.)r6rrz--credential-source-typez/Format of the credential source (JSON or text).z--credential-source-field-namez;Subject token field name (key) in a JSON credential source.z3Arguments for an executable type credential source.z--executable-timeout-millisms5s120szHTimeout duration, in milliseconds, to wait for the executable to finish.z--executable-output-filez:Absolute path to the file storing the executable response.z'--executable-interactive-timeout-millis30s1800szxTimeout duration, in milliseconds, to wait for the executable to finish when the command is running in interactive mode.N) add_argument add_grouprDurationArgDictr ConfigTypeWORKFORCE_POOLS)r& config_type%service_account_impersonation_optionsexecutable_argss rAddCommonByoidCreateConfigFlagsrEUs K   24+1*:*: 3+;+5''44 95(550       6  #     D F   <> & HJ$$ @%B/#       1  GIK**:::  1  ! !  P!Q;rN)T)__doc__ __future__rrrgooglecloudsdk.callioperr.googlecloudsdk.command_lib.iam.byoid_utilitiesr$googlecloudsdk.command_lib.util.argsr rrrr!r(r+r,rErrrLsO %&'/(F<+E E 1  OEQr