如何在谷歌云平台 (GCP) 中跨服务 (API)、资源类型和项目列出、查找或搜索 iam 策略? [英] How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

问题描述

在 Google Cloud Platform (GCP) 中，您只能通过调用 getIamPolicy(gcloud 中的 get-iam-policy)来获取特定资源的 IAM 政策.

In Google Cloud Platform (GCP), you can only get the IAM policy for a specific resource by calling getIamPolicy (get-iam-policy in gcloud).

是否可以列出、搜索、列出、搜索或查找跨资源、服务或项目的 IAM 策略?

Is there a way to list, search, list, search, or find IAM policies across resources, services, or projects?

这需要回答以下问题:

• 服务帐号有哪些角色?
• 哪些资源是公开共享的?
• 政策是否包含已删除的用户?
• 用户离开我公司后是否仍会出现在任何政策中?
• 用户是否具有给定的角色?

推荐答案

您可以使用 search-all-iam-policies 在项目、文件夹或组织内跨服务、资源类型、项目搜索所有 IAM 策略.

You can use search-all-iam-policies to search all the IAM policies across services, resource types, projects within a project, folder, or organization.

要浏览编号为 123 的项目中的政策(请注意，只有 支持列出的资源类型):

To browse policies in a project with number 123 (note that only policies for the listed resource types are supported):

gcloud asset search-all-iam-policies --scope=projects/123

谁在我的组织中拥有所有者角色?

Who has the role Owner in my org?

gcloud asset search-all-iam-policies --scope=organizations/456 --query="policy:roles/owner"

谁可以更改我组织中的项目 IAM 政策?

Who can change project IAM policies in my org?

--query='policy.role.permissions:resourcemanager.projects.setIamPolicy'

帐户有哪些角色?

--query="policy:123-compute@developer.gserviceaccount.com"

哪些资源是公开共享的?

Which resources are shared publicly?

--query="policy:(allUsers OR allAuthenticatedUsers)"

政策中是否有已删除的帐户?

Are there deleted accounts in policies?

--query="policy:deleted"

amy@bar.com 是否出现在任何政策中?

Does amy@bar.com appear in any policy?

--query="policy:amy@bar.com"

amy@bar.com 是否具有所有者角色?

Does amy@bar.com have the Owner role?

--query="policy:(roles/owner amy@bar.com)"

如何查找给定资源类型(例如项目)的所有 IAM 策略?

How to find all the IAM policies for a given resource type (e.g., projects)?

--query="policy:roles/owner resource://cloudresourcemanager.googleapis.com/projects"

是否有任何 Gmail 帐户具有所有者角色?

Is there any gmail account having the role Owner?

`--query="policy:(roles/owner *gmail*)"

您可以将范围更改为文件夹或项目.

You can change the scope to a folder or a project.

要使用该命令，您必须:

To use the command, you must:

• 启用 云资产 API，以及

对包含在这些角色中的范围拥有 cloudasset.assets.searchAllIamPolicies 权限:

Have cloudasset.assets.searchAllIamPolicies permission upon the scope, which is included in these roles:

• roles/cloudasset.viewer
• roles/cloudasset.owner
• 角色/查看者
• 角色/编辑
• 角色/所有者

文档:

• 更多 gcloud 示例:https://cloud.google.com/asset-inventory/docs/searching-iam-policies-samples
• 指南:https://cloud.google.com/asset-inventory/docs/searching-iam-policies
• API 参考:https://cloud.google.com/asset-inventory/docs/reference/rest/v1p1beta1/iamPolicies/searchAll
• 可搜索的资源类型:https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types

这篇关于如何在谷歌云平台 (GCP) 中跨服务 (API)、资源类型和项目列出、查找或搜索 iam 策略?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！