in tools/state_iam.py [0:0]
def get_bindings(resources, prefix=None, folders=None):
'Parse resources and return bindings.'
org_ids = {}
for r in resources:
m = RESOURCE_TYPE_RE.match(r['type'])
if not m:
continue
resource_type = m.group(1)
authoritative = m.group(2) == 'binding'
for i in r.get('instances'):
attrs = i['attributes']
conditions = ' '.join(c['title'] for c in attrs.get('condition', []))
if resource_type == 'organization':
resource_id = _org_id(attrs['org_id'])
else:
resource_id = attrs[resource_type]
if prefix and resource_id.startswith(prefix):
resource_id = resource_id[len(prefix) + 1:]
role = attrs['role']
if role.startswith('organizations/'):
org_id = role.split('/')[1]
role = role.replace(org_id, _org_id(org_id))
members = attrs['members'] if authoritative else [attrs['member']]
if resource_type == 'folder' and folders:
resource_id = folders.get(resource_id, resource_id)
for member in members:
member_type, _, member_id = member.partition(':')
if member_type == 'user':
continue
try:
member_id, member_domain = member_id.split('@', 1)
except ValueError:
if member_type == 'domain':
member_id = 'GCP organization domain'
member_domain = ''
# raise SystemExit(f'Cannot parse binding {member_id}')
# Handle Cloud Services Service Account
if member_domain == 'cloudservices.gserviceaccount.com':
member_id = "PROJECT_CLOUD_SERVICES"
# Handle Cloud Service Identity Service Account
if re.match("^service-\d{8}", member_id):
member_id = "SERVICE_IDENTITY_" + member_domain.split(".", 1)[0]
# Handle BQ Cloud Service Identity Service Account
if re.match("^bq-\d{8}", member_id):
member_id = "IDENTITY_" + member_domain.split(".", 1)[0]
resource_type_output = "Service Identity - " + resource_type
else:
resource_type_output = resource_type
if prefix and member_id.startswith(prefix):
member_id = member_id[len(prefix) + 1:]
yield Binding(authoritative, resource_type_output, resource_id, role,
member_type, member_id, conditions)