From a0b57f3aab09c16b7b16a2e908c4067bfb194e8e Mon Sep 17 00:00:00 2001 From: Vasyl Kaigorodov Date: Fri, 15 May 2015 15:28:28 +0200 Subject: [PATCH 1/4] GCE module: add posibility to specify Service Account permissions during instance creation --- cloud/google/gce.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/cloud/google/gce.py b/cloud/google/gce.py index 314f1200161..20ceb257b3a 100644 --- a/cloud/google/gce.py +++ b/cloud/google/gce.py @@ -287,6 +287,8 @@ def create_instances(module, gce, instance_names): ip_forward = module.params.get('ip_forward') external_ip = module.params.get('external_ip') disk_auto_delete = module.params.get('disk_auto_delete') + service_account_permissions = module.params.get('service_account_permissions') + service_account_email = module.params.get('service_account_email') if external_ip == "none": external_ip = None @@ -330,6 +332,14 @@ def create_instances(module, gce, instance_names): items.append({"key": k,"value": v}) metadata = {'items': items} + ex_sa_perms = [] + if service_account_permissions: + if service_account_email: + ex_sa_perms.append({'email': service_account_email}) + else: + ex_sa_perms.append({'email': "default"}) + ex_sa_perms[0]['scopes'] = service_account_permissions + # These variables all have default values but check just in case if not lc_image or not lc_network or not lc_machine_type or not lc_zone: module.fail_json(msg='Missing required create instance variable', @@ -349,7 +359,7 @@ def create_instances(module, gce, instance_names): inst = gce.create_node(name, lc_machine_type, lc_image, location=lc_zone, ex_network=network, ex_tags=tags, ex_metadata=metadata, ex_boot_disk=pd, ex_can_ip_forward=ip_forward, - external_ip=external_ip, ex_disk_auto_delete=disk_auto_delete) + external_ip=external_ip, ex_disk_auto_delete=disk_auto_delete, ex_service_accounts=ex_sa_perms) changed = True except ResourceExistsError: inst = gce.ex_get_node(name, lc_zone) @@ -437,6 +447,7 @@ def main(): tags = dict(type='list'), zone = dict(default='us-central1-a'), service_account_email = dict(), + service_account_permissions = dict(type='list'), pem_file = dict(), project_id = dict(), ip_forward = dict(type='bool', default=False), From f714cc5f7ecb7d8f8bf994276292db6e72caa0a2 Mon Sep 17 00:00:00 2001 From: Vasyl Kaigorodov Date: Fri, 15 May 2015 15:34:36 +0200 Subject: [PATCH 2/4] GCE module: document Service Account permissions parameter usage --- cloud/google/gce.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cloud/google/gce.py b/cloud/google/gce.py index 20ceb257b3a..261f6d32297 100644 --- a/cloud/google/gce.py +++ b/cloud/google/gce.py @@ -58,6 +58,13 @@ options: required: false default: null aliases: [] + service_account_permissions: + version_added: 1.5.1 + description: + - service account permissions (see U(https://cloud.google.com/sdk/gcloud/reference/compute/instances/create), --scopes section for detailed information) + required: false + default: null + aliases: [] pem_file: version_added: 1.5.1 description: From fa9727eb99fdd0c38ed7f3ba72cdf31c69e82a61 Mon Sep 17 00:00:00 2001 From: Vasyl Kaigorodov Date: Fri, 15 May 2015 16:00:24 +0200 Subject: [PATCH 3/4] GCE module: added Service Account permissions sanity checks --- cloud/google/gce.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cloud/google/gce.py b/cloud/google/gce.py index 261f6d32297..b288d9dfb43 100644 --- a/cloud/google/gce.py +++ b/cloud/google/gce.py @@ -340,7 +340,13 @@ def create_instances(module, gce, instance_names): metadata = {'items': items} ex_sa_perms = [] + bad_perms = [] if service_account_permissions: + for perm in service_account_permissions: + if not perm in gce.SA_SCOPES_MAP.keys(): + bad_perms.append(perm) + if len(bad_perms) > 0: + module.fail_json(msg='bad permissions: %s' % str(bad_perms)) if service_account_email: ex_sa_perms.append({'email': service_account_email}) else: From baff1bf7f0b49e2b4bc9f2c0582a1d356df160d9 Mon Sep 17 00:00:00 2001 From: James Cammarata Date: Tue, 23 Jun 2015 13:16:28 -0400 Subject: [PATCH 4/4] Update choices and version_added for new gce.py param service_account_permissions --- cloud/google/gce.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cloud/google/gce.py b/cloud/google/gce.py index 48536057637..251a3ee9e93 100644 --- a/cloud/google/gce.py +++ b/cloud/google/gce.py @@ -59,12 +59,13 @@ options: default: null aliases: [] service_account_permissions: - version_added: 1.5.1 + version_added: 2.0 description: - service account permissions (see U(https://cloud.google.com/sdk/gcloud/reference/compute/instances/create), --scopes section for detailed information) required: false default: null aliases: [] + choices: ["bigquery", "cloud-platform", "compute-ro", "compute-rw", "computeaccounts-ro", "computeaccounts-rw", "datastore", "logging-write", "monitoring", "sql", "sql-admin", "storage-full", "storage-ro", "storage-rw", "taskqueue", "userinfo-email"] pem_file: version_added: 1.5.1 description: