Google Cloud IAM gRPC Client Library

0.14.3 · active · verified Sat Mar 28

The `grpc-google-iam-v1` library provides the low-level gRPC client and Protocol Buffer definitions for interacting with the Google Cloud Identity and Access Management (IAM) API. It handles the underlying gRPC communication and data serialization/deserialization. As per Google's official recommendation, this library is generally not intended for direct use by application developers. Instead, the higher-level, idiomatic Python clients like `google-cloud-iam` (which might delegate to `google-cloud-resource-manager` or `google-cloud-iam-admin` for specific IAM operations) should be used. The current version is 0.14.3, and it's part of the regularly updated google-cloud-python ecosystem.

Warnings

gotcha This library (`grpc-google-iam-v1`) is a low-level gRPC client and is generally not recommended for direct application use. For idiomatic Python interaction with Google Cloud IAM, prefer using the `google-cloud-iam` client library, or more specific clients like `google-cloud-resource-manager` for project-level policies, or `google-cloud-iam-admin` for service account/custom role management. [5, 6]
Fix: Install `google-cloud-iam` (`pip install google-cloud-iam`) and use its provided client classes (e.g., `from google.cloud import resourcemanager_v3`).
breaking IAM Policy versions and `etag` field are crucial for safe updates. If you modify an IAM policy (especially with conditional bindings) without specifying the correct `etag` from the latest `get_iam_policy` call, your changes might overwrite concurrent updates or lead to unintended loss of conditional bindings. Version 3 policies *require* the `etag` for updates. [24]
Fix: Always retrieve the current policy (including its `etag`) before making modifications. Include the `etag` in your `SetIamPolicyRequest` to ensure optimistic concurrency control. For conditional bindings, always specify `version=3` in the Policy object.
gotcha Dependency conflicts, especially with `grpc-google-iam-v1`, have historically been a source of issues within the `google-cloud-python` ecosystem when different high-level client libraries pinned incompatible versions. While this is less common with newer releases, it can still occur if mixing older versions or non-standard packages. [20]
Fix: Use a virtual environment for each project. Explicitly pin major versions of your Google Cloud client libraries (e.g., `google-cloud-compute==X.*`, `google-cloud-storage==Y.*`) in `requirements.txt` to mitigate unexpected dependency resolution issues.
gotcha Authentication is a common point of failure. Ensure your environment variables (`GOOGLE_APPLICATION_CREDENTIALS`) or `gcloud` configuration (`gcloud auth application-default login`) are correctly set up, and that the authenticated principal has the necessary IAM permissions (e.g., `roles/resourcemanager.projectIamAdmin` for managing project policies).
Fix: Verify authentication setup: `gcloud auth application-default print-access-token` should return a token. Check IAM permissions for the principal making the API calls against the specific resource.

Install

pip install grpc-google-iam-v1 Install grpc-google-iam-v1

Imports

IamPolicyStub
```
from google.iam.v1 import iam_policy_pb2_grpc
```
This is the low-level gRPC stub. Most applications should use a higher-level client like `google.cloud.resourcemanager_v3.ProjectsClient` for idiomatic IAM policy management.
Policy
```
from google.iam.v1 import policy_pb2
```
Protobuf message definition for IAM policies. Used by both low-level gRPC and higher-level clients.
GetIamPolicyRequest
```
from google.iam.v1 import iam_policy_pb2
```
Protobuf message definition for getting IAM policies. Used by both low-level gRPC and higher-level clients.

Quickstart

This quickstart demonstrates how to programmatically get, modify, and set an IAM policy on a Google Cloud project using the higher-level `google-cloud-resource-manager` library. This is the recommended approach for interacting with IAM policies in Python, as `grpc-google-iam-v1` is a low-level client. The example shows how to retrieve the current policy, add a 'Viewer' role binding for a specified member, and then clean up by removing that member. Ensure you have authenticated to Google Cloud and set the `GOOGLE_CLOUD_PROJECT` environment variable.

import os
from google.cloud import resourcemanager_v3
from google.iam.v1 import iam_policy_pb2, policy_pb2

# NOTE: This quickstart demonstrates how to manage IAM policies using the
# recommended `google-cloud-resource-manager` library, which is built on top of
# the underlying IAM Policy API (v1) that `grpc-google-iam-v1` implements.
# Direct usage of `grpc-google-iam-v1` is generally discouraged.

# Set your Google Cloud project ID. Ensure you have authenticated
# (e.g., `gcloud auth application-default login` or GOOGLE_APPLICATION_CREDENTIALS)
project_id = os.environ.get('GOOGLE_CLOUD_PROJECT', 'your-gcp-project-id')
if project_id == 'your-gcp-project-id':
    raise ValueError("Please set the 'GOOGLE_CLOUD_PROJECT' environment variable or replace 'your-gcp-project-id'.")

project_resource = f'projects/{project_id}'

try:
    # Initialize the Resource Manager client
    client = resourcemanager_v3.ProjectsClient()

    # 1. Get the current IAM policy for the project
    get_request = iam_policy_pb2.GetIamPolicyRequest(resource=project_resource)
    current_policy = client.get_iam_policy(request=get_request)
    print(f"Current policy for {project_resource}:")
    print(current_policy)

    # 2. Modify the policy (e.g., add a new member with a role)
    # IMPORTANT: Always read the existing policy, modify it, then write it back
    # to avoid overwriting changes made by others. Use etag for concurrency control.
    new_policy = policy_pb2.Policy(version=current_policy.version, etag=current_policy.etag)
    new_policy.bindings.extend(current_policy.bindings)

    # Example: Add a new member (e.g., a user or service account) with the Viewer role
    # Replace 'user:example@example.com' with a valid member ID
    new_member = "user:example@example.com"
    new_role = "roles/viewer"

    found_binding = False
    for binding in new_policy.bindings:
        if binding.role == new_role:
            if new_member not in binding.members:
                binding.members.append(new_member)
                print(f"Added {new_member} to role {new_role}.")
            else:
                print(f"{new_member} already in role {new_role}.")
            found_binding = True
            break

    if not found_binding:
        new_binding = policy_pb2.Binding(role=new_role, members=[new_member])
        new_policy.bindings.append(new_binding)
        print(f"Created new binding for role {new_role} and added {new_member}.")

    # 3. Set the modified IAM policy
    set_request = iam_policy_pb2.SetIamPolicyRequest(
        resource=project_resource,
        policy=new_policy,
        update_mask=iam_policy_pb2.FieldMask(paths=["bindings", "etag"])
    )
    updated_policy = client.set_iam_policy(request=set_request)
    print(f"\nUpdated policy for {project_resource}:")
    print(updated_policy)

    # 4. Clean up: Remove the added member (optional)
    cleanup_policy = policy_pb2.Policy(version=updated_policy.version, etag=updated_policy.etag)
    cleanup_policy.bindings.extend(updated_policy.bindings)

    for binding in cleanup_policy.bindings:
        if binding.role == new_role and new_member in binding.members:
            binding.members.remove(new_member)
            print(f"\nRemoved {new_member} from role {new_role}.")
            break

    cleanup_request = iam_policy_pb2.SetIamPolicyRequest(
        resource=project_resource,
        policy=cleanup_policy,
        update_mask=iam_policy_pb2.FieldMask(paths=["bindings", "etag"])
    )
    client.set_iam_policy(request=cleanup_request)
    print("Cleanup complete.")

except Exception as e:
    print(f"An error occurred: {e}")
    print("Ensure 'GOOGLE_CLOUD_PROJECT' is set and you have 'roles/resourcemanager.projectIamAdmin' or equivalent permissions.")

view raw JSON →