MarkEdmondson1234 / googleAuthR

Google API Client Library for R. Easy authentication and help to build Google API R libraries with OAuth2. Shiny compatible.
https://code.markedmondson.me/googleAuthR
Other
175 stars 51 forks source link

Setup service accounts programmatically #178

Closed MarkEdmondson1234 closed 4 years ago

MarkEdmondson1234 commented 4 years ago

It would be helpful for a user OAuth2 token to be able to setup service emails. That way for setups a user can login the "easy" way with high permissions, and those permissions can be used to create a service email with locked-down permissions.

https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-rest

To create a service account, at minimum the user must be granted the Service Account Admin role (roles/iam.serviceAccountAdmin) or the Editor primitive role (roles/editor).

POST https://iam.googleapis.com/v1/projects/[PROJECT-ID]/serviceAccounts
{
    "accountId": "[SA-NAME]",
    "serviceAccount": {
        "description": "[SA-DESCRIPTION]",
        "displayName": "[SA-DISPLAY-NAME]"
    }
}

https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource

The following POST request uses the projects.setIamPolicy() method to grant editor access to a service account my-sa-123 for the project my-project-123. The request body must contain the new policy that grants permissions to the service account. Each role can have multiple members.

POST https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123:setIamPolicy

{
    "policy":
    {
        "version": 1,
        "etag": "BwUqMvZQGfo=",
        "bindings": [
        {
            "role": "roles/editor",
            "members": [
                "serviceAccount:my-sa-123@my-project-123.iam.gserviceaccount.com",
                "user:robin@example.com"
            ]
        },
        {
            "role":"roles/owner",
            "members":
            [
                "user:hollis@example.com",
            ]
        },
        {
            "role":"roles/viewer",
            "members":
            [
                "user:john@example.com",
            ]
        },
        {
            "role":"roles/iam.serviceAccountUser",
            "members":
            [
                "user:robin@example.com"
            ]
        },
        ]
    },
}
MarkEdmondson1234 commented 4 years ago
 library(googleAuthR)
 gar_set_client(scopes = "https://www.googleapis.com/auth/cloud-platform")
 gar_auth()
 gar_service_create("test12345678", "my-project")

 gar_service_grant_roles("test12345678@my-project.iam.gserviceaccount.com",
                         role = "roles/editor",
                         projectId = "my-project")

 gar_service_key("test12345678", "my-project", "my-auth.json")

 gar_service_key_list("test12345678", "my-project")
MarkEdmondson1234 commented 4 years ago

All wrapped up in gar_service_provision():

gar_service_provision("my-service-account", 
                      c("roles/viewer", "roles/bigquery.jobUser"))
# 2020-04-23 12:20:09> Writing secret auth JSON key to my-service-account-auth-key.json
MarkEdmondson1234 commented 4 years ago

Don't use this yet in production, testing

MarkEdmondson1234 commented 4 years ago

Its ok now, in CRAN version 1.2.1