Skip to content

Commit

Permalink
feat: add IAM samples (#34)
Browse files Browse the repository at this point in the history
  • Loading branch information
sethvargo authored Jan 30, 2020
1 parent 1d97e26 commit 4a15284
Show file tree
Hide file tree
Showing 3 changed files with 147 additions and 1 deletion.
63 changes: 63 additions & 0 deletions secret-manager/iamGrantAccess.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

'use strict';

async function main(
name = 'projects/my-project/secrets/my-secret',
member = 'user:you@example.com'
) {
// [START secretmanager_iam_grant_access]
/**
* TODO(developer): Uncomment these variables before running the sample.
*/
// const name = 'projects/my-project/secrets/my-secret';
// const member = 'user:you@example.com';
//
// NOTE: Each member must be prefixed with its type. See the IAM documentation
// for more information: https://cloud.google.com/iam/docs/overview.

// Imports the Secret Manager library
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');

// Instantiates a client
const client = new SecretManagerServiceClient();

async function grantAccess() {
// Get the current IAM policy.
const [policy] = await client.getIamPolicy({
resource: name,
});

// Add the user with accessor permissions to the bindings list.
policy.bindings.push({
role: 'roles/secretmanager.secretAccessor',
members: [member],
});

// Save the updated IAM policy.
await client.setIamPolicy({
resource: name,
policy: policy,
});

console.log(`Updated IAM policy for ${name}`);
}

grantAccess();
// [END secretmanager_iam_grant_access]
}

const args = process.argv.slice(2);
main(...args).catch(console.error);
70 changes: 70 additions & 0 deletions secret-manager/iamRevokeAccess.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

'use strict';

async function main(
name = 'projects/my-project/secrets/my-secret',
member = 'user:you@example.com'
) {
// [START secretmanager_iam_revoke_access]
/**
* TODO(developer): Uncomment these variables before running the sample.
*/
// const name = 'projects/my-project/secrets/my-secret';
// const member = 'user:you@example.com';
//
// NOTE: Each member must be prefixed with its type. See the IAM documentation
// for more information: https://cloud.google.com/iam/docs/overview.

// Imports the Secret Manager library
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');

// Instantiates a client
const client = new SecretManagerServiceClient();

async function grantAccess() {
// Get the current IAM policy.
const [policy] = await client.getIamPolicy({
resource: name,
});

// Build a new list of policy bindings with the user excluded.
for (const i in policy.bindings) {
const binding = policy.bindings[i];
if (binding.role !== 'roles/secretmanager.secretAccessor') {
continue;
}

const idx = binding.members.indexOf(member);
if (idx !== -1) {
binding.members.splice(idx, 1);
}
}

// Save the updated IAM policy.
await client.setIamPolicy({
resource: name,
policy: policy,
});

console.log(`Updated IAM policy for ${name}`);
}

grantAccess();
// [END secretmanager_iam_revoke_access]
}

const args = process.argv.slice(2);
main(...args).catch(console.error);
15 changes: 14 additions & 1 deletion secret-manager/test/secretmanager.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ const client = new SecretManagerServiceClient();

const projectId = process.env.GCLOUD_PROJECT;
const secretId = uuidv4();
const payload = `my super secret data`;
const payload = 'my super secret data';
const iamUser = 'user:sethvargo@google.com';

let secret;
let version;
Expand Down Expand Up @@ -136,6 +137,18 @@ describe(`Secret Manager samples`, () => {
});

it(`gets secret versions`, async () => {
const output = execSync(`node iamGrantAccess.js ${secret.name} ${iamUser}`);
assert.match(output, new RegExp(`Updated IAM policy`));
});

it(`revokes access permissions`, async () => {
const output = execSync(
`node iamRevokeAccess.js ${secret.name} ${iamUser}`
);
assert.match(output, new RegExp(`Updated IAM policy`));
});

it(`grants access permissions`, async () => {
const output = execSync(`node getSecretVersion.js ${version.name}`);
assert.match(output, new RegExp(`Found secret ${version.name}`));
});
Expand Down

0 comments on commit 4a15284

Please sign in to comment.