Demonstrates how to set IAM policies on a source
Code sample
Go
To authenticate to Security Command Center, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
(
"context"
"fmt"
"io"
iam
"cloud.google.com/go/iam/apiv1/iampb"
securitycenter
"cloud.google.com/go/securitycenter/apiv1"
)
// setSourceIamPolicy grants user roles/securitycenter.findingsEditor permision
// for a source. sourceName is the full resource name of the source to be
// updated. user is an email address that IAM can grant permissions to.
func
setSourceIamPolicy
(
w
io
.
Writer
,
sourceName
string
,
user
string
)
error
{
// sourceName := "organizations/111122222444/sources/1234"
// user := "someuser@some_domain.com
// Instantiate a context and a security service client to make API calls.
ctx
:=
context
.
Background
()
client
,
err
:=
securitycenter
.
NewClient
(
ctx
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"securitycenter.NewClient: %w"
,
err
)
}
defer
client
.
Close
()
// Closing the client safely cleans up background resources.
// Retrieve the existing policy so we can update only a specific
// field.
existing
,
err
:=
client
.
GetIamPolicy
(
ctx
,
& iam
.
GetIamPolicyRequest
{
Resource
:
sourceName
,
})
if
err
!=
nil
{
return
fmt
.
Errorf
(
"GetIamPolicy(%s): %w"
,
sourceName
,
err
)
}
req
:=
& iam
.
SetIamPolicyRequest
{
Resource
:
sourceName
,
Policy
:
& iam
.
Policy
{
// Enables partial update of existing policy
Etag
:
existing
.
Etag
,
Bindings
:
[]
*
iam
.
Binding
{{
Role
:
"roles/securitycenter.findingsEditor"
,
// New IAM Binding for the user.
Members
:
[]
string
{
fmt
.
Sprintf
(
"user:%s"
,
user
)},
},
},
},
}
policy
,
err
:=
client
.
SetIamPolicy
(
ctx
,
req
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"SetIamPolicy(%s, %v): %w"
,
sourceName
,
req
.
Policy
,
err
)
}
fmt
.
Fprint
(
w
,
"Bindings:\n"
)
for
_
,
binding
:=
range
policy
.
Bindings
{
for
_
,
member
:=
range
binding
.
Members
{
fmt
.
Fprintf
(
w
,
"Principal: %s Role: %s\n"
,
member
,
binding
.
Role
)
}
}
return
nil
}
Java
To authenticate to Security Command Center, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
static
Policy
setIamPolicySource
(
SourceName
sourceName
,
String
userEmail
)
{
try
(
SecurityCenterClient
client
=
SecurityCenterClient
.
create
())
{
// userEmail = "someuser@domain.com"
// Set up IAM Policy for the user userMail to use the role findingsEditor.
// The user must be a valid google account.
Policy
oldPolicy
=
client
.
getIamPolicy
(
sourceName
.
toString
());
Binding
bindings
=
Binding
.
newBuilder
()
.
setRole
(
"roles/securitycenter.findingsEditor"
)
.
addMembers
(
"user:"
+
userEmail
)
.
build
();
Policy
policy
=
oldPolicy
.
toBuilder
().
addBindings
(
bindings
).
build
();
// Start setting up a request to set IAM policy for a source.
// SourceName sourceName = SourceName.of("123234324", "423432321");
SetIamPolicyRequest
.
Builder
request
=
SetIamPolicyRequest
.
newBuilder
().
setPolicy
(
policy
).
setResource
(
sourceName
.
toString
());
// Call the API.
Policy
response
=
client
.
setIamPolicy
(
request
.
build
());
System
.
out
.
println
(
"Policy: "
+
response
);
return
response
;
}
catch
(
IOException
e
)
{
throw
new
RuntimeException
(
"Couldn't create client."
,
e
);
}
}
Node.js
To authenticate to Security Command Center, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
// Imports the Google Cloud client library.
const
{
SecurityCenterClient
}
=
require
(
' @google-cloud/security-center
'
);
// Creates a new client.
const
client
=
new
SecurityCenterClient
();
async
function
setSourceIamPolicy
()
{
// sourceName is the full resource name of the source to be
// updated.
// user is an email address that IAM can grant permissions to.
/*
* TODO(developer): Uncomment the following lines
*/
// const sourceName = "organizations/111122222444/sources/1234";
// const user = "someuser@domain.com";
const
[
existingPolicy
]
=
await
client
.
getIamPolicy
({
resource
:
sourceName
,
});
const
[
updatedPolicy
]
=
await
client
.
setIamPolicy
({
resource
:
sourceName
,
policy
:
{
// Enables partial update of existing policy
etag
:
existingPolicy
.
etag
,
bindings
:
[
{
role
:
'roles/securitycenter.findingsEditor'
,
// New IAM Binding for the user.
members
:
[
`user:
${
user
}
`
],
},
],
},
});
console
.
log
(
'Updated policy: %j'
,
updatedPolicy
);
}
setSourceIamPolicy
();
Python
To authenticate to Security Command Center, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
from
google.cloud
import
securitycenter_v1
from
google.iam.v1
import
policy_pb2
client
=
securitycenter_v1
.
SecurityCenterClient
()
# 'source_name' is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
# Get the old policy so we can do an incremental update.
old_policy
=
client
.
get_iam_policy
(
request
=
{
"resource"
:
source_name
})
print
(
f
"Old Policy:
{
old_policy
}
"
)
# Setup a new IAM binding.
binding
=
policy_pb2
.
Binding
()
binding
.
role
=
"roles/securitycenter.findingsEditor"
# user_email is an e-mail address known to Cloud IAM (e.g. a gmail address).
# user_mail = user@somedomain.com
binding
.
members
.
append
(
f
"user:
{
user_email
}
"
)
# Setting the e-tag avoids over-write existing policy
updated
=
client
.
set_iam_policy
(
request
=
{
"resource"
:
source_name
,
"policy"
:
{
"etag"
:
old_policy
.
etag
,
"bindings"
:
[
binding
]},
}
)
print
(
f
"Updated Policy:
{
updated
}
"
)
What's next
To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser .
