如何在谷歌云平台 (GCP) 中跨服务 (API)、资源类型和项目列出、查找或搜索 iam 策略? [英] How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?
问题描述
在 Google Cloud Platform (GCP) 中,您只能通过调用 getIamPolicy(gcloud 中的 get-iam-policy)来获取特定资源的 IAM 政策.
In Google Cloud Platform (GCP), you can only get the IAM policy for a specific resource by calling getIamPolicy (get-iam-policy in gcloud).
是否可以列出、搜索、列出、搜索或查找跨资源、服务或项目的 IAM 策略?
Is there a way to list, search, list, search, or find IAM policies across resources, services, or projects?
这需要回答以下问题:
- 服务帐号有哪些角色?
- 哪些资源是公开共享的?
- 政策是否包含已删除的用户?
- 用户离开我公司后是否仍会出现在任何政策中?
- 用户是否具有给定的角色?
推荐答案
您可以使用 search-all-iam-policies 在项目、文件夹或组织内跨服务、资源类型、项目搜索所有 IAM 策略.
You can use search-all-iam-policies to search all the IAM policies across services, resource types, projects within a project, folder, or organization.
要浏览编号为 123 的项目中的政策(请注意,只有 支持列出的资源类型):
To browse policies in a project with number 123 (note that only policies for the listed resource types are supported):
gcloud asset search-all-iam-policies --scope=projects/123
谁在我的组织中拥有所有者角色?
Who has the role Owner in my org?
gcloud asset search-all-iam-policies --scope=organizations/456 --query="policy:roles/owner"
谁可以更改我组织中的项目 IAM 政策?
Who can change project IAM policies in my org?
--query='policy.role.permissions:resourcemanager.projects.setIamPolicy'
帐户有哪些角色?
--query="policy:123-compute@developer.gserviceaccount.com"
哪些资源是公开共享的?
Which resources are shared publicly?
--query="policy:(allUsers OR allAuthenticatedUsers)"
政策中是否有已删除的帐户?
Are there deleted accounts in policies?
--query="policy:deleted"
amy@bar.com 是否出现在任何政策中?
Does amy@bar.com appear in any policy?
--query="policy:amy@bar.com"
amy@bar.com 是否具有所有者角色?
Does amy@bar.com have the Owner role?
--query="policy:(roles/owner amy@bar.com)"
如何查找给定资源类型(例如项目)的所有 IAM 策略?
How to find all the IAM policies for a given resource type (e.g., projects)?
--query="policy:roles/owner resource://cloudresourcemanager.googleapis.com/projects"
是否有任何 Gmail 帐户具有所有者角色?
Is there any gmail account having the role Owner?
`--query="policy:(roles/owner *gmail*)"
您可以将范围更改为文件夹或项目.
You can change the scope to a folder or a project.
要使用该命令,您必须:
To use the command, you must:
启用 云资产 API,以及
对包含在这些角色中的范围拥有 cloudasset.assets.searchAllIamPolicies
权限:
Have cloudasset.assets.searchAllIamPolicies
permission upon the scope, which is included in these roles:
- roles/cloudasset.viewer
- roles/cloudasset.owner
- 角色/查看者
- 角色/编辑
- 角色/所有者
文档:
- 更多 gcloud 示例:https://cloud.google.com/asset-inventory/docs/searching-iam-policies-samples
- 指南:https://cloud.google.com/asset-inventory/docs/searching-iam-policies
- API 参考:https://cloud.google.com/asset-inventory/docs/reference/rest/v1p1beta1/iamPolicies/searchAll
- 可搜索的资源类型:https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types
这篇关于如何在谷歌云平台 (GCP) 中跨服务 (API)、资源类型和项目列出、查找或搜索 iam 策略?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!