hdZddlmZddlmZddlmZddlmZddlmZddlm Z ddl m Z dd l m Zdd lmZddlm Z e j"e j$j&Gd d e j(Zy )zCCommand to set service account and scopes for an instance resource.)absolute_import)division)unicode_literals) base_classes) constants)base)flags)scope) exceptionscfeZdZdZdddZfdZedZdZdZ d Z d Z d Z d Z d ZxZS)SetServiceAccountzLSet a service account and access scopes for a Compute Engine VM instance. a `{command}` lets you configure a service account and access scopes for a Compute Engine VM instance. As a best practice, grant the ``cloud-platform'' access scope on your VM instance. Then, to restrict resource access, grant only the required IAM roles to the VM instance's service account. For more information, see [](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes#best_practices). z To set a service account with the ``cloud-platform'' scope, run: $ {command} example-instance --scopes=cloud-platform --zone=us-central1-b --service-account=example-account ) DESCRIPTIONEXAMPLEScFt|j| |i|d|_y)N)super __class____init__ _instance)selfargskwargsrs 4lib/surface/compute/instances/set_service_account.pyrzSetServiceAccount.__init__4s" $..$($9&9DNcntjj|tj|dy)NT)r INSTANCE_ARG AddArgumentAddServiceAccountAndScopeArgs)parsers rArgszSetServiceAccount.Args8s& ""6* ''5rc|js^|jjd|jjdi|j f}|j |g}|d|_|jS)z@Return cached instance if there isn't one fetch referrenced one.Get)requestsr)rapitools_client instancesmessagesComputeInstancesGetRequestAsDict MakeRequests)r instance_refclientrequestinstances r _get_instancezSetServiceAccount._get_instance=sr >>''115;;;.#**,./g$$wi$8h{dn >>rch|j||}|y|j}|r|djSy)z2Return email of service account instance is using.Nr)r.serviceAccountsemail)rr*r+r-orignal_service_accountss r_original_emailz!SetServiceAccount._original_emailIs@!!,7H '77 %a ( . .. rcz|j||}|gS|j}g}|D]}||jz }|S)z Return scopes instance is using.)r.r0scopes)rr*r+r-r2resultaccountss r_original_scopesz"SetServiceAccount._original_scopesSsM!!,7H i'77 F, f- Mrcp|jry|jr |jS|j||S)z8Return email to set as service account for the instance.N)no_service_accountservice_accountr3rrr*r+s r_emailzSetServiceAccount._email^s6     ! !!    f 55rcr|jrgS|j |jS|j||S)z&Return scopes to set for the instance.) no_scopesr5r8r<s r_unprocessed_scopesz%SetServiceAccount._unprocessed_scopesfs5 ~~ i {{ [[  v 66rcg}|j|||D]4}tjj||g}|j |6|S)aFGet list of scopes to be assigned to the instance. Args: args: parsed command line arguments. instance_ref: reference to the instance to which scopes will be assigned. client: a compute_holder.client instance Returns: List of scope urls extracted from args, with scope aliases expanded. )r@rSCOPESgetextend)rrr*r+r6unprocessed_scoper s r_scopeszSetServiceAccount._scopesnsXF!55d6BFL""#47H6IJe mmEL Mrctj|j}|j}t j |tj j||jtjjtj|}|j|||}|j|||}|r|st!j"d|j$j'|j$j)|||j*|j,|j/}|j1|j2j4d|fgS)N) default_scope scope_listerz4Can not set scopes when there is no service acoount.)r1r5)!instancesSetServiceAccountRequestprojectzoner-r )rComputeApiHolder ReleaseTrackr+r "ValidateServiceAccountAndScopeArgsrResolveAsResource resources compute_scope ScopeEnumZONE compute_flagsGetDefaultScopeListerr=rFr $ScopesWithoutServiceAccountExceptionr&(ComputeInstancesSetServiceAccountRequest!InstancesSetServiceAccountRequestrKrLNamer)r$r%)rrcompute_holderr+r*r1r5r,s rRunzSetServiceAccount.RunsH!2243D3D3FGN  " "F ,,T2%%77 n&&#--22"88@8BL KKlF 3E \\$ f 5F e  ; ; @ BBooFF OO = = >  $$   ""$G G   ((!  r)__name__ __module__ __qualname____doc__ detailed_helpr staticmethodrr.r3r8r=r@rFr\ __classcell__)rs@rr r sU  -"66  67$!rr N)r` __future__rrrgooglecloudsdk.api_lib.computerrgooglecloudsdk.callioper"googlecloudsdk.command_lib.computer rUr rR,googlecloudsdk.command_lib.compute.instancesr ReleaseTracksrNGA SilentCommandr r#rrrlsfJ&'74(EEC>D%%(()B**B*Br