@@ -632,6 +632,38 @@ left join iam_scope_org
632632 app_token_global.public_id;
633633 `
634634
635+ // grantsForGlobalTokenProjectResourcesRecursiveQuery gets a global app token's grants for resources
636+ // applicable to the project scope.
637+ grantsForGlobalTokenProjectResourcesRecursiveQuery = `
638+ select app_token_permission_global.private_id as permission_id,
639+ app_token_permission_global.description,
640+ app_token_permission_global.create_time,
641+ app_token_permission_global.grant_this_scope,
642+ app_token_permission_global.grant_scope,
643+ app_token_global.public_id as app_token_id,
644+ array_agg(distinct app_token_permission_grant.canonical_grant) as canonical_grants,
645+ array_agg(distinct iam_scope_project.scope_id) as active_grant_scopes
646+ from app_token_global
647+ join app_token_permission_global
648+ on app_token_global.public_id = app_token_permission_global.app_token_id
649+ and app_token_global.public_id = any(@app_token_ids)
650+ join app_token_permission_grant
651+ on app_token_permission_global.private_id = app_token_permission_grant.permission_id
652+ join iam_grant
653+ on app_token_permission_grant.canonical_grant = iam_grant.canonical_grant
654+ and iam_grant.resource = any(@resources)
655+ left join app_token_permission_global_individual_project_grant_scope proj_grants
656+ on app_token_permission_global.private_id = proj_grants.permission_id
657+ left join iam_scope_project
658+ on proj_grants.scope_id = iam_scope_project.scope_id
659+ group by app_token_permission_global.private_id,
660+ app_token_permission_global.description,
661+ app_token_permission_global.create_time,
662+ app_token_permission_global.grant_this_scope,
663+ app_token_permission_global.grant_scope,
664+ app_token_global.public_id;
665+ `
666+
635667 estimateCountRoles = `
636668 select reltuples::bigint as estimate from pg_class where oid in ('iam_role'::regclass)
637669 `
0 commit comments