Google Cloud Resource Manager API - grant owner ro

2019-08-13 09:10发布

问题:

I am using Google Cloud Resource Manager API with Service Account authorization in Google Apps Script. In the program I am interested in updating the roles of a Developer Console Project.

Specifically, I am trying to change Developer Console project's owner to editor and another user as owner. This, I believe in terms of HTTP Request payload would look like:

// before (taken from response of getIamPolicy REST call)
{
    "bindings": [{
            "role": "roles/owner",
            "members": ["user:abc@my-google-domain.com"]
     }],
    "version": "0",
    "etag": "acbqwcada="
}

// after (modified policy) used in setIamPolicy REST call
{
    "bindings": [{
            "role": "roles/owner",
            "members": ["user:def@my-google-domain.com"]
     },
     {
            "role": "roles/editor",
            "members": ["user:abc@my-google-domain.com"]
     }],
    "version": "0",
    "etag": "acbqwcada="
}

Few things I observed:

  • When changing current owner (user email) to editor and adding new owner (user email) the API call is returning SOLO_MUST_INVITE_OWNERS error. Here, I am impersonating service account as initial owner of project with all necessary domain wide access

  • However, when I do the same call in Google API explorer with same payload, its working fine!

  • Google Cloud and Identity Management documentation seems confusing. It says in one point "Cloud Resource Manager IAM methods only support granting the owner role to user and serviceAccount" while in another point "A user cannot be granted owner access using setIamPolicy(). The user must be granted the owner role using the Cloud Platform Console and he must explicitly accept the invitation." -- I am wondering is there any other way to set policies other than setIamPolicy()?

回答1:

The Cloud Resource Manager API does not support adding an owner via setIamPolicy, see the documentation on setIamPolicy:

To be added as an owner, a user must be invited via Cloud Platform console and must accept the invitation.

After you've invited def@my-google-domain.com and they've accepted (they'll appear as an owner of the project in the Cloud Platform console, and also as a member of the owner binding returned by getIamPolicy) you can make the setIamPolicy call to make abc@my-google-domain.com an editor.