-
Notifications
You must be signed in to change notification settings - Fork 103
/
enable-fine-grained-access.js
104 lines (96 loc) · 3.21 KB
/
enable-fine-grained-access.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
// Copyright 2024 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// sample-metadata:
// title: Enable fine grained access control
// usage: node enable-fine-grained-access.js <INSTANCE_ID> <DATABASE_ID> <PROJECT_ID>
'use strict';
function main(
instanceId = 'my-instance',
databaseId = 'my-database',
projectId = 'my-project-id',
iamMember = 'user:[email protected]',
databaseRole = 'parent',
title = 'condition title'
) {
// [START spanner_enable_fine_grained_access]
/**
* TODO(developer): Uncomment these variables before running the sample.
*/
// const instanceId = 'my-instance';
// const databaseId = 'my-database';
// const projectId = 'my-project-id';
// iamMember = 'user:[email protected]';
// databaseRole = 'parent';
// title = 'condition title';
// Imports the Google Cloud Spanner client library
const {Spanner, protos} = require('@google-cloud/spanner');
// Instantiates a client
const spanner = new Spanner({
projectId: projectId,
});
async function enableFineGrainedAccess() {
// Gets a reference to a Cloud Spanner Database Admin Client object
const databaseAdminClient = spanner.getDatabaseAdminClient();
const [policy] = await databaseAdminClient.getIamPolicy({
resource: databaseAdminClient.databasePath(
projectId,
instanceId,
databaseId
),
options: (protos.google.iam.v1.GetPolicyOptions = {
requestedPolicyVersion: 3,
}),
});
if (policy.version < 3) {
policy.version = 3;
}
const newBinding = {
role: 'roles/spanner.fineGrainedAccessUser',
members: [`user:${iamMember}`],
condition: {
title: title,
expression: `resource.name.endsWith("/databaseRoles/${databaseRole}")`,
},
};
policy.bindings.push(newBinding);
await databaseAdminClient.setIamPolicy({
resource: databaseAdminClient.databasePath(
projectId,
instanceId,
databaseId
),
policy: policy,
});
// Requested Policy Version is Optional. The maximum policy version that will be used to format the policy.
// Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected.
const newPolicy = await databaseAdminClient.getIamPolicy({
resource: databaseAdminClient.databasePath(
projectId,
instanceId,
databaseId
),
options: (protos.google.iam.v1.GetPolicyOptions = {
requestedPolicyVersion: 3,
}),
});
console.log(newPolicy);
}
enableFineGrainedAccess();
// [END spanner_enable_fine_grained_access]
}
process.on('unhandledRejection', err => {
console.error(err.message);
process.exitCode = 1;
});
main(...process.argv.slice(2));