public Policy AddBucketIamMember(
string bucketName = "your-unique-bucket-name",
string role = "roles/storage.objectViewer",
string member = "serviceAccount:[email protected]")
{
var storage = StorageClient.Create();
var policy = storage.GetBucketIamPolicy(bucketName, new GetBucketIamPolicyOptions
{
RequestedPolicyVersion = 3
});
// Set the policy schema version. For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.
policy.Version = 3;
Policy.BindingsData bindingToAdd = new Policy.BindingsData
{
Role = role,
Members = new List <string> {
member
}
};
policy.Bindings.Add(bindingToAdd);
var bucketIamPolicy = storage.SetBucketIamPolicy(bucketName, policy);
Console.WriteLine($"Added {member} with role {role} " + $"to {bucketName}");
return(bucketIamPolicy);
}
private void CreateBucketAndGrantStsPermissions(string bucketName)
{
var bucket = Storage.CreateBucket(ProjectId, new Bucket
{
Name = bucketName
});
string email = Sts.GetGoogleServiceAccount(new GetGoogleServiceAccountRequest()
{
ProjectId = ProjectId
}).AccountEmail;
string member = "serviceAccount:" + email;
string objectViewer = "roles/storage.objectViewer";
string bucketReader = "roles/storage.legacyBucketReader";
string bucketWriter = "roles/storage.legacyBucketWriter";
var policy = Storage.GetBucketIamPolicy(bucketName, new GetBucketIamPolicyOptions
{
RequestedPolicyVersion = 3
});
// Set the policy schema version. For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.
policy.Version = 3;
Policy.BindingsData objectViewerBinding = new Policy.BindingsData
{
Role = objectViewer,
Members = new List <string> {
member
}
};
Policy.BindingsData bucketReaderBinding = new Policy.BindingsData
{
Role = bucketReader,
Members = new List <string> {
member
}
};
Policy.BindingsData bucketWriterBinding = new Policy.BindingsData
{
Role = bucketWriter,
Members = new List <string> {
member
}
};
policy.Bindings.Add(objectViewerBinding);
policy.Bindings.Add(bucketReaderBinding);
policy.Bindings.Add(bucketWriterBinding);
Storage.SetBucketIamPolicy(bucketName, policy);
}
public async Task SetBucketIamPolicy()
{
var projectId = _fixture.ProjectId;
var bucketName = Guid.NewGuid().ToString();
_fixture.RegisterBucketToDelete(bucketName);
// Snippet: SetBucketIamPolicy(string, *, *)
// Create a new bucket and an empty file within it
StorageClient client = StorageClient.Create();
Bucket bucket = client.CreateBucket(projectId, bucketName);
var obj = client.UploadObject(bucketName, "empty.txt", "text/plain", new MemoryStream());
// Demonstrate that without authentication, we can't download the object
HttpClient httpClient = new HttpClient();
HttpResponseMessage response1 = await httpClient.GetAsync(obj.MediaLink);
Console.WriteLine($"Response code before setting policy: {response1.StatusCode}");
// Fetch the current IAM policy, and modify it in memory to allow all users
// to view objects.
Policy policy = client.GetBucketIamPolicy(bucketName);
string role = "roles/storage.objectViewer";
Policy.BindingsData binding = policy.Bindings
.Where(b => b.Role == role)
.FirstOrDefault();
if (binding == null)
{
binding = new Policy.BindingsData {
Role = role, Members = new List <string>()
};
policy.Bindings.Add(binding);
}
binding.Members.Add("allUsers");
// Update the IAM policy on the bucket.
client.SetBucketIamPolicy(bucketName, policy);
// Download the object again: this time the response should be OK
HttpResponseMessage response2 = await httpClient.GetAsync(obj.MediaLink);
Console.WriteLine($"Response code after setting policy: {response2.StatusCode}");
// End snippet
Assert.Equal(HttpStatusCode.Unauthorized, response1.StatusCode);
Assert.Equal(HttpStatusCode.OK, response2.StatusCode);
}
// [END view_bucket_iam_members]
// [START add_bucket_iam_member]
private void AddBucketIamMember(string bucketName,
string role, string member)
{
var storage = StorageClient.Create();
var policy = storage.GetBucketIamPolicy(bucketName);
Policy.BindingsData bindingToAdd = new Policy.BindingsData();
bindingToAdd.Role = role;
string[] members = { member };
bindingToAdd.Members = members;
policy.Bindings.Add(bindingToAdd);
storage.SetBucketIamPolicy(bucketName, policy);
Console.WriteLine($"Added {member} with role {role} "
+ $"to {bucketName}");
}
/// <summary>
/// Adds a conditional Iam policy to a bucket.
/// </summary>
/// <param name="bucketName">The name of the bucket.</param>
/// <param name="role">The role that members may assume.</param>
/// <param name="member">The identifier of the member who may assume the provided role.</param>
/// <param name="title">Title for the expression.</param>
/// <param name="description">Description of the expression.</param>
/// <param name="expression">Describes the conditions that need to be met for the policy to be applied.
/// It's represented as a string using Common Expression Language syntax.</param>
public Policy AddBucketConditionalIamBinding(
string bucketName = "your-unique-bucket-name",
string role = "roles/storage.objectViewer",
string member = "serviceAccount:[email protected]",
string title = "title",
string description = "description",
string expression = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")")
{
var storage = StorageClient.Create();
var policy = storage.GetBucketIamPolicy(bucketName, new GetBucketIamPolicyOptions
{
RequestedPolicyVersion = 3
});
// Set the policy schema version. For more information, please refer to https://cloud.google.com/iam/docs/policies#versions.
policy.Version = 3;
Policy.BindingsData bindingToAdd = new Policy.BindingsData
{
Role = role,
Members = new List <string> {
member
},
Condition = new Expr
{
Title = title,
Description = description,
Expression = expression
}
};
policy.Bindings.Add(bindingToAdd);
var bucketIamPolicy = storage.SetBucketIamPolicy(bucketName, policy);
Console.WriteLine($"Added {member} with role {role} " + $"to {bucketName}");
return(bucketIamPolicy);
}
private string CreateRequesterPaysBucket()
{
string name = IdGenerator.FromDateTime(prefix: "dotnet-requesterpays-");
CreateBucket();
AddServiceAccountBinding();
CreateObject();
return(name);
// Adds the service account associated with the application default credentials as a writer for the bucket.
// Note: this assumes the default credentials *are* a service account. If we've got a compute credential,
// this will cause a problem - but in reality, our tests always run with a service account.
void AddServiceAccountBinding()
{
var credential = (ServiceAccountCredential)GoogleCredential.GetApplicationDefault().UnderlyingCredential;
string serviceAccountEmail = credential.Id;
var policy = RequesterPaysClient.GetBucketIamPolicy(name,
new GetBucketIamPolicyOptions {
UserProject = RequesterPaysProjectId
});
// Note: we assume there are no conditions in the policy, as we've only just created the bucket.
var writerRole = "roles/storage.objectAdmin";
Policy.BindingsData writerBinding = null;
foreach (var binding in policy.Bindings)
{
if (binding.Role == writerRole)
{
writerBinding = binding;
break;
}
}
if (writerBinding == null)
{
writerBinding = new Policy.BindingsData {
Role = writerRole, Members = new List <string>()
};
policy.Bindings.Add(writerBinding);
}
writerBinding.Members.Add($"serviceAccount:{serviceAccountEmail}");
RequesterPaysClient.SetBucketIamPolicy(name, policy,
new SetBucketIamPolicyOptions {
UserProject = RequesterPaysProjectId
});
}
void CreateBucket()
{
RequesterPaysClient.CreateBucket(RequesterPaysProjectId,
new Bucket {
Name = name, Billing = new Bucket.BillingData {
RequesterPays = true
}
});
SleepAfterBucketCreateDelete();
}
void CreateObject()
{
RequesterPaysClient.UploadObject(name, SmallObject, "text/plain", new MemoryStream(SmallContent),
new UploadObjectOptions {
UserProject = RequesterPaysProjectId
});
}
}
