minor Mod 21 updates

wescpy · wescpy · commit c5bb5b6b2624 · 2022-10-05T17:12:50.000-07:00
diff --git a/mod21a-idenplat/README.md b/mod21a-idenplat/README.md
@@ -1,3 +1,5 @@
 # Module 21 - Migrate from App Engine `users` to Cloud Identity Platform
 
 This repo folder is the corresponding Python 2 code to the _forthcoming_ Module 21 codelab. The tutorial STARTs with the Python 2 code in the [Module 20 repo folder](/mod20-gaeusers) and leads developers through a migration to Cloud Identity Platform, culminating in the code in this (`mod21a-idenplat`) folder. Also included is a migration from App Engine `ndb` to Google Cloud NDB, mirroring the content covered in [Module 2](http://g.co/codelabs/pae-migrate-cloudndb). There is also a Python 3 version of the app in the [Module 21b](/mod21b-idenplat) folder.
+
+NOTE: While we generally recommend using [Google Cloud client libraries](https://cloud.google.com/apis/docs/cloud-client-libraries) for GCP API access, we have an exception here because the [final Python 2 version](https://googleapis.dev/python/cloudresourcemanager/0.30.2) of the [Cloud Resource Manager client library](https://github.com/googleapis/python-resource-manager) (before the 2.x support was deprecated) did not have an implemented [get IAM policy](https://cloud.google.com/python/docs/reference/cloudresourcemanager/latest/google.cloud.resourcemanager_v3.services.projects.ProjectsClient#google_cloud_resourcemanager_v3_services_projects_ProjectsClient_get_iam_policy) feature, hence the need to use the [lower-level Google APIs client library](https://developers.google.com/api-client-library) to access this functionality from the API. See the [Python 3 `main.py`](/mod21b-idenplat/main.py) which uses latest Resource Manager client library.
diff --git a/mod21a-idenplat/main.py b/mod21a-idenplat/main.py
@@ -25,9 +25,9 @@
 
 def _get_gae_admins():
     'return set of App Engine admins'
-    # setup constants for calling Cloud IAM Resource Manager API
+    # setup constants for calling Cloud Resource Manager API
     CREDS, PROJ_ID = default(  # Application Default Credentials and project ID
-            ['https://www.googleapis.com/auth/cloud-platform'])
+            ['https://www.googleapis.com/auth/cloudplatformprojects.readonly'])
     rm_client = discovery.build('cloudresourcemanager', 'v1', credentials=CREDS)
     _TARGETS = frozenset((     # App Engine admin roles
             'roles/viewer',
@@ -36,7 +36,7 @@ def _get_gae_admins():
             'roles/appengine.appAdmin',
     ))
 
-    # collate all users who are members of at least one GAE admin role (_TARGETS)
+    # collate users who are members of at least one GAE admin role (_TARGETS)
     admins = set()                      # set of all App Engine admins
     allow_policy = rm_client.projects().getIamPolicy(resource=PROJ_ID).execute()
     for b in allow_policy['bindings']:  # bindings in IAM allow policy
diff --git a/mod21b-idenplat/main.py b/mod21b-idenplat/main.py
@@ -24,7 +24,7 @@
 
 def _get_gae_admins():
     'return set of App Engine admins'
-    # setup constants for calling Cloud IAM Resource Manager API
+    # setup constants for calling Cloud Resource Manager API
     _, PROJ_ID = default(  # Application Default Credentials and project ID
             ['https://www.googleapis.com/auth/cloudplatformprojects.readonly'])
     rm_client = resourcemanager.ProjectsClient()
@@ -35,7 +35,7 @@ def _get_gae_admins():
             'roles/appengine.appAdmin',
     ))
 
-    # collate all users who are members of at least one GAE admin role (_TARGETS)
+    # collate users who are members of at least one GAE admin role (_TARGETS)
     admins = set()                      # set of all App Engine admins
     allow_policy = rm_client.get_iam_policy(resource='projects/%s' % PROJ_ID)
     for b in allow_policy.bindings:     # bindings in IAM allow policy
