1

I want to grant a new user bigquery.user access from java api. But somehow not able to do from the documentation provided. There is not much with respect to API calls. Can someone point me at the right direction.

I am using the below code as of now : 

package com.infy.entitlement;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.googleapis.util.Utils;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.services.cloudresourcemanager.model.GetIamPolicyRequest;
import com.google.api.services.iam.v1.Iam;
import com.google.api.services.iam.v1.IamScopes;
import com.google.api.services.iam.v1.model.Binding;
import com.google.api.services.iam.v1.model.Policy;
import com.google.api.services.iam.v1.model.SetIamPolicyRequest;




        final HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
            final JsonFactory jsonFactory = Utils.getDefaultJsonFactory();
            final GoogleCredential credential = GoogleCredential
                    .getApplicationDefault(httpTransport, jsonFactory)
                    .createScoped(IamScopes.all());

            final Iam iam = new Iam.Builder(
                    httpTransport, jsonFactory, credential)
                    .setApplicationName("SS")
                    .build();

            String[] myViewers = new String[] {"user:testviewer1@gmail.com",
            "user:testviewer2@gmail.com"};

            String targetRole = "projects/***/roles/bigquery.users";

            Policy policy = iam.projects().serviceAccounts().getIamPolicy("projects/***/serviceAccounts/****").execute();

            Binding targetBinding = null;

            List<Binding> bindings = new ArrayList<Binding>();

            if(policy.getBindings() != null){
                bindings = policy.getBindings();
            }


            if(bindings != null){
                for (Binding binding : bindings) {
                    if (binding.getRole().equals(targetRole)) {
                        targetBinding = binding;
                        break;
                    }
                }
            }

            if (targetBinding == null) {
                targetBinding = new Binding();
                targetBinding.setMembers(Arrays.asList(myViewers));
                targetBinding.setRole(targetRole);
                bindings.add(targetBinding);

            }

            policy.setBindings(bindings);

            iam.projects().serviceAccounts().setIamPolicy("projects/****/serviceAccounts/******", SetIamPolicyRequest.class.newInstance().setPolicy(policy)).execute();

            System.out.println(targetBinding.getRole());
        }
    }

After executing i am getting the below error: Exception in thread "main" com.google.api.client.googleapis.json.GoogleJsonResponseException: 400 Bad Request { "code" : 400, "errors" : [ { "domain" : "global", "message" : "Role (projects/dazzling-byway-184414/roles/bigquery.users) does not exist in the resource's hierarchy.", "reason" : "badRequest" } ], "message" : "Role (projects/dazzling-byway-184414/roles/bigquery.users) does not exist in the resource's hierarchy.", "status" : "INVALID_ARGUMENT" }

Is there any particular format of passing the request?

Xiaoxia Lin
  • 736
  • 6
  • 16
Siddharth Chaurasia
  • 293
  • 4
  • 25
  • I hace even tried String targetRole = "roles/bigquery.user"; In this case i get a different error : Exception in thread "main" com.google.api.client.googleapis.json.GoogleJsonResponseException: 400 Bad Request { "code" : 400, "errors" : [ { "domain" : "global", "message" : "Role roles/bigquery.user is not supported for this resource.", "reason" : "badRequest" } ], "message" : "Role roles/bigquery.user is not supported for this resource.", "status" : "INVALID_ARGUMENT" } – Siddharth Chaurasia Jun 12 '18 at 17:22
  • From the [sample code](https://cloud.google.com/iam/docs/granting-changing-revoking-access#granting_access_to_team_members), **String targetRole = "viewers"** doesn't include "projects/***/roles/". Can you try with just ["bigquery.user"](https://cloud.google.com/bigquery/docs/access-control#roles) ? – Xiaoxia Lin Jun 14 '18 at 13:50

1 Answers1

2

I agree with the comment left by Xiaoxia that you should try using “bigquery.user” as the target role.

To answer your other question on finding more documentation on the Java API for IAM access, I would look at this link for getting the IAM policy, and this link for setting the IAM policy. Near the top in the example Java code, you will find instructions in setting up your environment for using the Java API for IAM access. The example Java code also serves as a reference for what you want to do.

Kevin Chien
  • 99
  • 5
  • I tried the sample code from the documentation link you provided, and found for your purpose of assigning BigQuery user role to existing users, you will need to use “roles/bigquery.user” as the target role, not “bigquery.user” that I previously suggested. Please see [this link for the reference to the role names](https://cloud.google.com/bigquery/docs/access-control#roles). – Kevin Chien Jun 18 '18 at 13:02