-
Notifications
You must be signed in to change notification settings - Fork 110
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add script for setting up GCP project permissions π
In tektoncd/pipeline#1500 @vdemeester wanted to be able to access our boskos projects to try to debug it but I had been lazy and not given everyone access b/c there are so many of them. I didn't want to do it (lazy) but then I realized that a script would make it easy! So I wrote this script; it doesn't have any tests or automation yet but eventually we could execute it as part of a Tekton pipeline and use it to make sure permissions are always what we expect.
- Loading branch information
1 parent
a87e98c
commit e3f5a4f
Showing
2 changed files
with
79 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
#!/usr/bin/env python3 | ||
|
||
""" | ||
addpermissions.py gives users access to the Tekton GCP projects | ||
In order to interact with GCP resources | ||
(https://github.com/tektoncd/plumbing/blob/master/gcp.md) | ||
folks sometimes need to be able to do actions like push images and view | ||
a project in the web console. | ||
This script will add the permissions allowed to folks on the governing board | ||
(https://github.com/tektoncd/community/blob/master/governance.md#permissions-and-access) | ||
to all GCP projects. | ||
This script requires the `gcloud` command line tool and the python | ||
`PyYaml` library. | ||
""" | ||
import argparse | ||
import shlex | ||
import shutil | ||
import subprocess | ||
import sys | ||
import urllib.request | ||
import yaml | ||
from typing import List | ||
|
||
|
||
ROLES = ( | ||
"roles/container.admin", | ||
"roles/iam.serviceAccountUser", | ||
"roles/storage.admin", | ||
"roles/viewer", | ||
) | ||
KNOWN_PROJECTS = ( | ||
"tekton-releases", | ||
"tekton-nightly", | ||
) | ||
BOSKOS_CONFIG_URL = "https://raw.githubusercontent.com/tektoncd/plumbing/master/boskos/boskos-config.yaml" | ||
|
||
|
||
def gcloud_required() -> None: | ||
if shutil.which("gcloud") is None: | ||
sys.stderr.write("gcloud binary is required; https://cloud.google.com/sdk/install") | ||
sys.exit(1) | ||
|
||
|
||
def add_to_all_projects(user: str, projects: List[str]) -> None: | ||
for project in projects: | ||
for role in ROLES: | ||
subprocess.check_call(shlex.split( | ||
"gcloud projects add-iam-policy-binding {} --member user:{} --role {}".format(project, user, role) | ||
)) | ||
|
||
|
||
def parse_boskos_projects() -> List[str]: | ||
config = urllib.request.urlopen(BOSKOS_CONFIG_URL).read() | ||
c = yaml.load(config) | ||
nested_config = c["data"]["config"] | ||
cc = yaml.load(nested_config) | ||
return cc["resources"][0]["names"] | ||
|
||
|
||
if __name__ == '__main__': | ||
arg_parser = argparse.ArgumentParser( | ||
description="Give a user access to all plumbing resources") | ||
arg_parser.add_argument("--user", type=str, required=True, | ||
help="The name of the user's account, usually their email address") | ||
args = arg_parser.parse_args() | ||
|
||
gcloud_required() | ||
|
||
boskos_projects = parse_boskos_projects() | ||
add_to_all_projects(args.user, list(KNOWN_PROJECTS) + boskos_projects) | ||
|