(A single, complete) Cloud Client Library for IAM

[rrrix]

I'm cross-posting this from googleapis/google-cloud-python #10643, because it's not clear where's actually supposed to go...

---

Hi Googlers,

I'm requesting the Identity and Access Management IAM API (e.g. https://iam.googleapis.com) be added as a supported Python Cloud Client Library.

I believe it is both reasonable and expected for the existing Identity and Access Management (python-iam) package fully support all IAM APIs. That was my first place to look for working with IAM Roles, Permissions, and Service Accounts. I thought my brain was having a short circuit and that I made a mistake when I saw what is really only the Service Account Credentials API (e.g. https://iamcredentials.googleapis.com).

As far as code generation goes, googleapis/googleapis has full and complete definitions for all IAM APIs:

• iam/admin/v1/iam.proto
  • Endpoint: iam.googleapis.com
  • All Standard Methods (List, Get, Create, Update, Delete) for All admin/v1 Resources (Service Accounts, Service Account Keys, Roles, Permissions)
  • All Custom Methods (TestIamPermissions, QueryGrantableRoles, QueryTestablePermissions, QueryAuditableServices, LintPolicy)
• iam/credentials/v1/iamcredentials.proto
  • This is currently the only API that is already in the python-iam package.
  • Endpoint: iamcredentials.googleapis.com
  • All Methods: GenerateAccessToken, GenerateIdToken, SignBlob, SignJwt
• iam/v1/iam_policy.proto
  • Endpoint: iam-meta-api.googleapis.com
  • All Standard Methods (SetIamPolicy, GetIamPolicy, TestIamPermissions)
  • Requires iam/v1/policy.proto
• iam/v1beta/workload_identity_pool.proto
  • Endpoint: iam.googleapis.com
  • All Standard Methods (List, Get, Create, Update, Delete) for v1beta Workload Identity Pools
• iam/v2beta/policy.proto and iam/v2beta/deny.proto
  • Endpoint: iam.googleapis.com
  • The new and very awesome v2beta IAM Policies API
  • CRUDL for IAM Policies
  • Includes the new Deny policies API

I was a little surprised to find IAM does not have complete support in the Python Cloud Client Libraries. Seems like an oversight? I mean... You can't really do Google Cloud without IAM... :)

Also, it might be worth looking at how the current "IAM" libraries are named / described, since it's very confusing unless you take a few hours to read through all of the code and documentation for each of the packages (as I did).

To be honest, it was a poor developer/user experience constantly being directed to use Client Libraries that don't exist.

Currently, Python Cloud Client Libraries lists two different versions of "Identity and Access Management" packages, one "IAM Logging Protos" package and one "IAM Policy Troubleshooter API" package listed in the README:

• Identity and Access Management (python-iam)
• Identity and Access Management (python-grpc-google-iam-v1)
• IAM Logging Protos (python-iam-logging)
• IAM Policy Troubleshooter API (python-policy-troubleshooter)

I'm not sure why the first two are both called "Identity and Access Management" when neither of them are full IAM APIs. The "IAM Logging Protos" is the only library appropriately named for its specific limited subset of IAM functionality.

The python-grpc-google-iam-v1 package is even more mysterious, as it a single subdirectory (iam/v1/) which appears to be generated or copied from the googleapis/google/iam interface definitions. 🤔

I hope we can get a nice idiomatic & Pythonic Google Cloud IAM SDK at some point. Thanks in advance!

[parthea]

Thanks for the feedback @rrrix! This is definitely something that needs to be fixed. I'll investigate if it's possible to make improvements in a non-breaking way. I've labeled this as a bug and added it to our internal backlog.

[simon-anz]

100% agree, and had the same experience. It seems like a strange omission to not have nice APIs for IAM, and have to use the old-style dynamic client (ugh). Things like listing roles, etc

Compare the service approach which returns typeless dict:

    creds, _ = google.auth.default()
    service = discovery.build('iam', 'v1', credentials=creds)
    request = service.roles().list(view='FULL')

Vs below (example) which returns nicely typed structure

    res = asset_v1.AssetServiceClient(credentials=creds).search_all_iam_policies(scope=scope, query=query)

[alsyia]

Any update on this? What's the preferred way to, for example, get the list of all service accounts?

[andrew-kline]

Any update on this? What's the preferred way to, for example, get the list of all service accounts?

AFAIK the only way is to use the API wrapper client and build the service through it (here is the example: https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/list).

I have to double down on my support for this - particularly for this service, but also for others (DNS, for example). IAM is a foundational aspect of writing applications that interact with GCP and I feel like I spend 90% of my time trying to decipher and compare what's available to me between the client libraries and the APIs.

[alsyia]

Any update on this? What's the preferred way to, for example, get the list of all service accounts?

AFAIK the only way is to use the API wrapper client and build the service through it (here is the example: https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/list).

I have to double down on my support for this - particularly for this service, but also for others (DNS, for example). IAM is a foundational aspect of writing applications that interact with GCP and I feel like I spend 90% of my time trying to decipher and compare what's available to me between the client libraries and the APIs.

Thanks for the answer! That's indeed what I ended up doing.

+1 for a proper IAM support...

[parthea]

I'm going to transfer this issue to the google-cloud-python repository. The code in this repository will be migrated there within the next few weeks.