fix(iam): fix tests in cloud-client/snippets (#13097)

* fix(iam): proof of concept to check if it passes Kokoro CI

* fix(iam): WIP comment unused import

* fix(iam): add exponential backoff to quickstart_test.py::test_member

* fix(iam): fixes for linting

* fix(iam): fix create_servce_account.py to be run from CLI

* fix(iam): format create_deny_policy.py

* fix(iam): format iam_check_permissions.py

* fix(iam): add exponential backoff to service account creation, and enable failing test

* fix(iam): fix Kokoro CI failing for quickstart_test.py

* fix(iam): fix linting in quickstart_test

* fix(iam): add exponentia backoff to test_service_account

* fix(iam): fix linting in test_service_account.py

* fix(iam): format disable_service_account.py

* fix(iam): format modify_policy_add_member.py

* fix(iam): format query_testable_permissions.py

* fix(iam): update requirements.txt to latest dependencies

* fix(iam): fix return value in service_account_email fixture

* fix(iam): unify style across the folder and resolve linter suggestions

* fix(iam): add more time to sleep to fix failing test

* fix(iam): add exponential backoff to test_service_account_key

* fix(iam): fix linting for test_service_account_key

* fix(iam): fix fixture for test_service_account_key.py

* fix(iam): add messages to quickstart_test

* fix(iam): add backoff to 'test_disable_role' to fix "Please retry the whole read-modify-write with exponential backoff."

Author: eapl-gemugami

iam/cloud-client/snippets/conftest.py

@@ -31,7 +31,7 @@
 from snippets.get_role import get_role
 
 PROJECT = google.auth.default()[1]
-GOOGLE_APPLICATION_CREDENTIALS = os.environ["IAM_CREDENTIALS"]
+GOOGLE_APPLICATION_CREDENTIALS = os.getenv("IAM_CREDENTIALS", "")
 
 
 @pytest.fixture
@@ -87,6 +87,7 @@ def iam_role() -> str:
     role_id = f"{role_prefix}_{uuid.uuid4().hex[:10]}"
     permissions = ["iam.roles.get", "iam.roles.list"]
     title = "test_role_title"
+
     # Delete any iam roles with `role_prefix` prefix. Otherwise, it might throw quota issue.
     delete_iam_roles_by_prefix(PROJECT, role_prefix)
     created = False
@@ -103,12 +104,12 @@ def iam_role() -> str:
 
 
 def delete_iam_roles_by_prefix(iam_role: str, delete_name_prefix: str) -> None:
-    """
-    Helper function to clean-up roles starting with a prefix
+    """Helper function to clean-up roles starting with a prefix.
+
     Args:
         iam_role: project id
-        delete_name_prefix: start of the role id to be deleted. F.e. "test-role" in role id "test-role-123"
-
+        delete_name_prefix: start of the role id to be deleted.
+        F.e. "test-role" in role id "test-role-123"
     """
     client = IAMClient()
     parent = f"projects/{PROJECT}"

iam/cloud-client/snippets/create_deny_policy.py

@@ -14,27 +14,29 @@
 
 # This file contains code samples that demonstrate how to create IAM deny policies.
 
-# [START iam_create_deny_policy]
+import os
 
 
+# [START iam_create_deny_policy]
 def create_deny_policy(project_id: str, policy_id: str) -> None:
+    """Create a deny policy.
+
+    You can add deny policies to organizations, folders, and projects.
+    Each of these resources can have up to 5 deny policies.
+
+    Deny policies contain deny rules, which specify the following:
+    1. The permissions to deny and/or exempt.
+    2. The principals that are denied, or exempted from denial.
+    3. An optional condition on when to enforce the deny rules.
+
+    Params:
+    project_id: ID or number of the Google Cloud project you want to use.
+    policy_id: Specify the ID of the deny policy you want to create.
+    """
+
     from google.cloud import iam_v2
     from google.cloud.iam_v2 import types
 
-    """
-      Create a deny policy.
-      You can add deny policies to organizations, folders, and projects.
-      Each of these resources can have up to 5 deny policies.
-
-      Deny policies contain deny rules, which specify the following:
-      1. The permissions to deny and/or exempt.
-      2. The principals that are denied, or exempted from denial.
-      3. An optional condition on when to enforce the deny rules.
-
-      Params:
-      project_id: ID or number of the Google Cloud project you want to use.
-      policy_id: Specify the ID of the deny policy you want to create.
-    """
     policies_client = iam_v2.PoliciesClient()
 
     # Each deny policy is attached to an organization, folder, or project.
@@ -108,11 +110,11 @@ def create_deny_policy(project_id: str, policy_id: str) -> None:
     import uuid
 
     # Your Google Cloud project ID.
-    project_id = "your-google-cloud-project-id"
+    PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT", "your-google-cloud-project-id")
+
     # Any unique ID (0 to 63 chars) starting with a lowercase letter.
     policy_id = f"deny-{uuid.uuid4()}"
 
     # Test the policy lifecycle.
-    create_deny_policy(project_id, policy_id)
-
+    create_deny_policy(PROJECT_ID, policy_id)
 # [END iam_create_deny_policy]

iam/cloud-client/snippets/create_key.py

@@ -14,6 +14,8 @@
 
 # This file contains code samples that demonstrate how to get create IAM key for service account.
 
+import os
+
 # [START iam_create_key]
 from google.cloud import iam_admin_v1
 from google.cloud.iam_admin_v1 import types
@@ -41,8 +43,6 @@ def create_key(project_id: str, account: str) -> types.ServiceAccountKey:
     # key_id = json_key_data["private_key_id"]
 
     return key
-
-
 # [END iam_create_key]
 
 
@@ -51,10 +51,12 @@ def create_key(project_id: str, account: str) -> types.ServiceAccountKey:
     # iam.serviceAccountKeys.create permission (roles/iam.serviceAccountKeyAdmin)
 
     # Your Google Cloud project ID.
-    project_id = "your-google-cloud-project-id"
+    PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT", "your-google-cloud-project-id")
+
     # Existing service account name within the project specified above.
     account_name = "test-account-name"
+
     # Note: If you have different email format, you can just paste it directly
-    email = f"{account_name}@{project_id}.iam.gserviceaccount.com"
+    email = f"{account_name}@{PROJECT_ID}.iam.gserviceaccount.com"
 
-    create_key(project_id, email)
+    create_key(PROJECT_ID, email)

iam/cloud-client/snippets/create_role.py

@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import os
+
 # [START iam_create_role]
 from typing import List, Optional
 
@@ -22,8 +24,8 @@
 def create_role(
     project_id: str, role_id: str, permissions: List[str], title: Optional[str] = None
 ) -> Role:
-    """
-    Creates iam role with given parameters.
+    """Creates iam role with given parameters.
+
     Args:
         project_id: GCP project id
         role_id: id of GCP iam role
@@ -51,16 +53,14 @@ def create_role(
         print(
             f"Role with id [{role_id}] already exists and in deleted state, take some actions"
         )
-
-
 # [END iam_create_role]
 
 
 if __name__ == "__main__":
-    import google.auth
+    # Your Google Cloud project ID.
+    PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT", "your-google-cloud-project-id")
 
-    PROJECT = google.auth.default()[1]
     role_id = "custom1_python"
     permissions = ["iam.roles.get", "iam.roles.list"]
     title = "custom1_python_title"
-    create_role(PROJECT, role_id, permissions, title)
+    create_role(PROJECT_ID, role_id, permissions, title)

iam/cloud-client/snippets/create_service_account.py

@@ -12,7 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# This file contains code samples that demonstrate how to get create service account.
+# This file contains code samples that demonstrate
+# how to create a service account.
+
+import os
 
 # [START iam_create_service_account]
 from typing import Optional
@@ -24,12 +27,14 @@
 def create_service_account(
     project_id: str, account_id: str, display_name: Optional[str] = None
 ) -> types.ServiceAccount:
-    """
-    Creates a service account.
+    """Creates a service account.
 
     project_id: ID or number of the Google Cloud project you want to use.
     account_id: ID which will be unique identifier of the service account
-    display_name (optional): human-readable name, which will be assigned to the service account
+    display_name (optional): human-readable name, which will be assigned
+        to the service account
+
+    return: ServiceAccount
     """
 
     iam_admin_client = iam_admin_v1.IAMClient()
@@ -46,8 +51,6 @@ def create_service_account(
 
     print(f"Created a service account: {account.email}")
     return account
-
-
 # [END iam_create_service_account]
 
 
@@ -56,9 +59,10 @@ def create_service_account(
     # iam.serviceAccounts.create permission (roles/iam.serviceAccountCreator)
 
     # Your Google Cloud project ID.
-    project_id = "your-google-cloud-project-id"
+    PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT", "your-google-cloud-project-id")
 
     # Existing service account name within the project specified above.
-    account_id = account_name = "test-service-account"
+    ACCOUNT_ID = os.getenv("ACCOUNT_ID", "test-service-account")
+    DISPLAY_NAME = ACCOUNT_ID
 
-    create_service_account(project_id, account_id, account_name)
+    create_service_account(PROJECT_ID, ACCOUNT_ID, DISPLAY_NAME)

iam/cloud-client/snippets/delete_deny_policy.py

@@ -14,18 +14,20 @@
 
 # This file contains code samples that demonstrate how to delete IAM deny policies.
 
+import os
+
 
 # [START iam_delete_deny_policy]
 def delete_deny_policy(project_id: str, policy_id: str) -> None:
-    from google.cloud import iam_v2
-    from google.cloud.iam_v2 import types
-
-    """
-    Delete the policy if you no longer want to enforce the rules in a deny policy.
+    """Delete the policy if you no longer want to enforce the rules in a deny policy.
 
     project_id: ID or number of the Google Cloud project you want to use.
     policy_id: The ID of the deny policy you want to retrieve.
     """
+
+    from google.cloud import iam_v2
+    from google.cloud.iam_v2 import types
+
     policies_client = iam_v2.PoliciesClient()
 
     # Each deny policy is attached to an organization, folder, or project.
@@ -54,10 +56,10 @@ def delete_deny_policy(project_id: str, policy_id: str) -> None:
     import uuid
 
     # Your Google Cloud project ID.
-    project_id = "your-google-cloud-project-id"
+    PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT", "your-google-cloud-project-id")
+
     # Any unique ID (0 to 63 chars) starting with a lowercase letter.
     policy_id = f"deny-{uuid.uuid4()}"
 
-    delete_deny_policy(project_id, policy_id)
-
+    delete_deny_policy(PROJECT_ID, policy_id)
 # [END iam_delete_deny_policy]

iam/cloud-client/snippets/delete_key.py

@@ -14,14 +14,15 @@
 
 # This file contains code samples that demonstrate how to get delete IAM key for service account.
 
+import os
+
 # [START iam_delete_key]
 from google.cloud import iam_admin_v1
 from google.cloud.iam_admin_v1 import types
 
 
 def delete_key(project_id: str, account: str, key_id: str) -> None:
-    """
-    Deletes a key for a service account.
+    """Deletes a key for a service account.
 
     project_id: ID or number of the Google Cloud project you want to use.
     account: ID or email which is unique identifier of the service account.
@@ -34,8 +35,6 @@ def delete_key(project_id: str, account: str, key_id: str) -> None:
 
     iam_admin_client.delete_service_account_key(request=request)
     print(f"Deleted key: {key_id}")
-
-
 # [END iam_delete_key]
 
 
@@ -44,12 +43,13 @@ def delete_key(project_id: str, account: str, key_id: str) -> None:
     # iam.serviceAccountKeys.delete permission (roles/iam.serviceAccountKeyAdmin)
 
     # Your Google Cloud project ID.
-    project_id = "your-google-cloud-project-id"
+    PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT", "your-google-cloud-project-id")
+
     # Existing service account name within the project specified above.
     account_name = "test-account-name"
     # Existing ID of the key
     key_id = "your-key-id"
     # Note: If you have different email format, you can just paste it directly
-    email = f"{account_name}@{project_id}.iam.gserviceaccount.com"
+    email = f"{account_name}@{PROJECT_ID}.iam.gserviceaccount.com"
 
-    delete_key(project_id, email, key_id)
+    delete_key(PROJECT_ID, email, key_id)

iam/cloud-client/snippets/delete_role.py

@@ -12,6 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import os
+
+
 # [START iam_delete_role]
 # [START iam_undelete_role]
 from google.api_core.exceptions import FailedPrecondition, NotFound
@@ -21,15 +24,13 @@
     Role,
     UndeleteRoleRequest,
 )
-
 # [END iam_undelete_role]
 # [END iam_delete_role]
 
 
 # [START iam_delete_role]
 def delete_role(project_id: str, role_id: str) -> Role:
-    """
-    Deletes iam role in GCP project. Can be undeleted later
+    """Deletes iam role in GCP project. Can be undeleted later.
     Args:
         project_id: GCP project id
         role_id: id of GCP iam role
@@ -47,20 +48,16 @@ def delete_role(project_id: str, role_id: str) -> Role:
         print(f"Role with id [{role_id}] not found, take some actions")
     except FailedPrecondition as err:
         print(f"Role with id [{role_id}] already deleted, take some actions)", err)
-
-
 # [END iam_delete_role]
 
 
 # [START iam_undelete_role]
 def undelete_role(project_id: str, role_id: str) -> Role:
-    """
-    Undeleted deleted iam role in GCP project
+    """Undeleted deleted iam role in GCP project.
+
     Args:
         project_id: GCP project id
         role_id: id of GCP iam role
-
-    Returns: google.cloud.iam_admin_v1.Role object
     """
     client = IAMClient()
     name = f"projects/{project_id}/roles/{role_id}"
@@ -73,15 +70,13 @@ def undelete_role(project_id: str, role_id: str) -> Role:
         print(f"Role with id [{role_id}] not found, take some actions")
     except FailedPrecondition as err:
         print(f"Role with id [{role_id}] is not deleted, take some actions)", err)
-
-
 # [END iam_undelete_role]
 
 
 if __name__ == "__main__":
-    import google.auth
+    # Your Google Cloud project ID.
+    PROJECT_ID = os.getenv("GOOGLE_CLOUD_PROJECT", "your-google-cloud-project-id")
 
-    PROJECT = google.auth.default()[1]
     role_id = "custom1_python"
-    delete_role(PROJECT, role_id)
-    undelete_role(PROJECT, role_id)
+    delete_role(PROJECT_ID, role_id)
+    undelete_role(PROJECT_ID, role_id)