iam

func (*Driver) AddBinding ¶ added in v0.3.1

func (d *Driver) AddBinding(ctx context.Context, project, role, member string) (api.IamPolicy, error)

AddBinding performs a read-modify-write on the project policy to add member to role. If the role already exists in the policy, member is appended; otherwise a new binding is created.

func (*Driver) AddUser ¶ added in v0.3.1

func (d *Driver) AddUser(ctx context.Context, principal string) (schema.IAMResult, error)

AddUser is a thin schema.IAMResult-shaped wrapper around EnableServiceAccount used by the iam-user-check `add` action.

func (*Driver) CreateKey ¶ added in v0.3.1

func (d *Driver) CreateKey(ctx context.Context, project, accountID string) (api.ServiceAccountKey, error)

CreateKey mints a new user-managed key for a service account. The returned ServiceAccountKey carries PrivateKeyData (base64 of the JSON credential file) which is only ever returned once.

func (*Driver) DelUser ¶ added in v0.3.1

func (d *Driver) DelUser(ctx context.Context, principal string) (schema.IAMResult, error)

DelUser is a thin schema.IAMResult-shaped wrapper around DisableServiceAccount used by the iam-user-check `del` action.

func (*Driver) DeleteKey ¶ added in v0.3.1

func (d *Driver) DeleteKey(ctx context.Context, project, accountID, keyID string) error

DeleteKey revokes a service-account key by ID. keyID may be the trailing segment or the full "projects/.../keys/{id}" form.

func (*Driver) DisableServiceAccount ¶ added in v0.3.1

func (d *Driver) DisableServiceAccount(ctx context.Context, principal string) error

DisableServiceAccount disables a GCP service account, revoking the access granted by `EnableServiceAccount`.

func (*Driver) EnableServiceAccount ¶ added in v0.3.1

func (d *Driver) EnableServiceAccount(ctx context.Context, principal string) error

EnableServiceAccount enables (i.e. unlocks) a GCP service account. `principal` is the service account email or its short name; the project is taken from the credential. This is the closest CSPM-detectable `useradd`-style lever GCP exposes via API — there is no Cloud Identity "create user" without a paid Google Workspace tenant.

func (*Driver) GetProjectIamPolicy ¶ added in v0.3.1

func (d *Driver) GetProjectIamPolicy(ctx context.Context, project string) (api.IamPolicy, error)

GetProjectIamPolicy returns the project-level IAM policy via cloudresourcemanager projects:getIamPolicy.

func (*Driver) ListKeys ¶ added in v0.3.1

func (d *Driver) ListKeys(ctx context.Context, project, accountID string) ([]api.ServiceAccountKey, error)

ListKeys enumerates the keys for a service account. accountID may be an email or "projects/{p}/serviceAccounts/{email}" form.

func (*Driver) ListUsers ¶ added in v0.1.7

func (d *Driver) ListUsers(ctx context.Context) ([]schema.User, error)

func (*Driver) RemoveBinding ¶ added in v0.3.1

func (d *Driver) RemoveBinding(ctx context.Context, project, role, member string) (api.IamPolicy, error)

RemoveBinding performs a read-modify-write on the project policy to remove member from role. Empty bindings are pruned.

func (*Driver) SetProjectIamPolicy ¶ added in v0.3.1

func (d *Driver) SetProjectIamPolicy(ctx context.Context, project string, policy api.IamPolicy) (api.IamPolicy, error)

SetProjectIamPolicy writes a new project policy via cloudresourcemanager projects:setIamPolicy. The supplied policy must carry the etag from the prior Get to satisfy optimistic concurrency.