|
|
import logging |
|
|
import os |
|
|
import sys |
|
|
|
|
|
|
|
|
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..'))) |
|
|
|
|
|
from google.cloud import storage |
|
|
from google.iam.v1 import policy_pb2 |
|
|
from google_src.gcloud_wrapper import get_default_wrapper |
|
|
|
|
|
|
|
|
try: |
|
|
from utils import logger |
|
|
except ImportError: |
|
|
logger = logging.getLogger(__name__) |
|
|
|
|
|
def setup_bucket_permissions(bucket_name: str, members: list, role: str = "roles/storage.objectViewer", storage_client=None): |
|
|
""" |
|
|
Creates a GCS bucket (if it doesn't exist) and grants the specified role to the given members. |
|
|
|
|
|
Args: |
|
|
bucket_name (str): The name of the GCS bucket. |
|
|
members (list): A list of members to grant access to (e.g., ["user:jebin.einstein@elvoro.com", "serviceAccount:elvoro@elvoro-final-videos.iam.gserviceaccount.com"]). |
|
|
role (str): The IAM role to grant (default: roles/storage.objectViewer). |
|
|
storage_client (google.cloud.storage.Client, optional): Existing storage client to reuse. |
|
|
""" |
|
|
try: |
|
|
|
|
|
if not storage_client: |
|
|
wrapper = get_default_wrapper() |
|
|
storage_client = wrapper.get_storage_client("final_data") |
|
|
|
|
|
|
|
|
try: |
|
|
bucket = storage_client.get_bucket(bucket_name) |
|
|
logger.debug(f"β
Bucket '{bucket_name}' already exists.") |
|
|
except Exception: |
|
|
try: |
|
|
logger.debug(f"π¦ Bucket '{bucket_name}' not found. Attempting to create...") |
|
|
bucket = storage_client.create_bucket(bucket_name, location="us-central1") |
|
|
logger.debug(f"β
Bucket '{bucket_name}' created successfully.") |
|
|
except Exception as e: |
|
|
logger.error(f"β Failed to create bucket '{bucket_name}': {e}") |
|
|
return |
|
|
|
|
|
|
|
|
logger.debug(f"π Updating IAM policy for bucket '{bucket_name}'...") |
|
|
policy = bucket.get_iam_policy(requested_policy_version=3) |
|
|
|
|
|
|
|
|
binding = next((b for b in policy.bindings if b['role'] == role), None) |
|
|
|
|
|
if binding: |
|
|
logger.debug(f"Found existing binding for role '{role}'. Adding new members...") |
|
|
|
|
|
existing_members = set(binding['members']) |
|
|
new_members = set(members) |
|
|
updated_members = existing_members.union(new_members) |
|
|
binding['members'] = list(updated_members) |
|
|
else: |
|
|
logger.debug(f"No existing binding for role '{role}'. Creating new binding...") |
|
|
|
|
|
binding = {"role": role, "members": members} |
|
|
policy.bindings.append(binding) |
|
|
|
|
|
|
|
|
bucket.set_iam_policy(policy) |
|
|
|
|
|
logger.debug(f"β
IAM policy updated successfully for bucket '{bucket_name}'.") |
|
|
logger.debug(f" Granted '{role}' to:") |
|
|
for member in members: |
|
|
logger.debug(f" - {member}") |
|
|
|
|
|
except Exception as e: |
|
|
logger.error(f"β An error occurred during permission setup: {e}") |
|
|
|
|
|
if __name__ == "__main__": |
|
|
|
|
|
BUCKET_NAME = "globe_air" |
|
|
TARGET_MEMBERS = [ |
|
|
"user:jebin.einstein@elvoro.com", |
|
|
"serviceAccount:elvoro@elvoro-final-videos.iam.gserviceaccount.com" |
|
|
] |
|
|
TARGET_ROLE = "roles/storage.objectViewer" |
|
|
|
|
|
logger.debug("π Starting GCS Bucket Permission Setup...") |
|
|
setup_bucket_permissions(BUCKET_NAME, TARGET_MEMBERS, TARGET_ROLE) |
|
|
|
