问题描述

在Google Cloud Platform(GCP)中，您只能通过调用getIamPolicy(gcloud中的get-iam-policy)来获取特定资源的IAM策略.

是否可以在资源，服务或项目中列出，搜索，列出，搜索或查找IAM策略?

需要回答以下问题:

• 服务帐户具有哪些角色?
• 哪些资源是公开共享的?
• 策略中是否包含已删除的用户?
• 用户离开我的公司后，他们仍会出现在任何策略中吗?
• 用户是否具有指定角色?

您可以使用search-all-iam-policies搜索跨服务，资源类型，项目，文件夹或组织中的项目的所有IAM策略./p>

要浏览编号为123的项目中的策略(请注意，仅列出的资源类型):

gcloud beta asset search-all-iam-policies --scope=projects/123

要找出谁在编号为456的组织中具有所有者角色:

gcloud beta asset search-all-iam-policies --scope=organizations/456 --query="policy:roles/owner"

要了解服务帐户具有哪些角色:

--query="policy:[email protected]"

要找出哪些资源是公开共享的:

--query="policy:(allUsers OR allAuthenticatedUsers)"

要了解策略是否包含已删除的帐户，请执行以下操作:

--query="policy:deleted"

要了解[email protected]是否出现在任何政策中:

--query="policy:[email protected]"

要查明[email protected]是否具有所有者角色:

--query="policy:(roles/owner [email protected])"

仅查看给定资源类型(例如，项目)的IAM策略:

--query="policy:roles/owner resource://cloudresourcemanager.googleapis.com/projects"

要查明是否有任何Gmail帐户具有所有者角色:

`--query="policy:(roles/owner *gmail*)"

您可以将范围更改为文件夹或项目.

要使用该命令，您必须:

• 启用 Cloud Asset API 和

• 对作用域具有cloudasset.assets.searchAllIamPolicies权限，这些权限包括在这些角色中:

  • roles/cloudasset.viewer
  • roles/cloudasset.owner
  • 角色/查看器
  • 角色/编辑器
  • 角色/所有者

文档: https://cloud.google.com/asset -inventory/docs/searching-iam-policies

受支持的资源类型: https://cloud.google .com/asset-inventory/docs/supported-asset-types#searchable_asset_types

In Google Cloud Platform (GCP), you can only get the IAM policy for a specific resource by calling getIamPolicy (get-iam-policy in gcloud).

Is there a way to list, search, list, search, or find IAM policies across resources, services, or projects?

This is needed to answer questions like:

• What roles does a service account have?
• Which resources are shared publicly?
• Do policies contain deleted users?
• Does a user still appear in any policies after they leave my company?
• Does a user has a given role?

You can use search-all-iam-policies to search all the IAM policies across services, resource types, projects within a project, folder, or organization.

To browse policies in a project with number 123 (note that only policies for the listed resource types are supported):

gcloud beta asset search-all-iam-policies --scope=projects/123

To find out who has the role Owner in an organization with number 456:

gcloud beta asset search-all-iam-policies --scope=organizations/456 --query="policy:roles/owner"

To find out which roles a service account has:

--query="policy:[email protected]"

To find out which resources are shared publicly:

--query="policy:(allUsers OR allAuthenticatedUsers)"

To find out whether policies contain deleted accounts:

--query="policy:deleted"

To find out whether [email protected] appears in any policy:

--query="policy:[email protected]"

To find out whether [email protected] has the role Owner:

--query="policy:(roles/owner [email protected])"

To only look at IAM policies for a given resource type (e.g., projects):

--query="policy:roles/owner resource://cloudresourcemanager.googleapis.com/projects"

To find out whether any gmail account has the role Owner:

`--query="policy:(roles/owner *gmail*)"

You can change the scope to a folder or a project.

To use the command, you must:

• Enable Cloud Asset API, and

• Have cloudasset.assets.searchAllIamPolicies permission upon the scope, which is included in these roles:

  • roles/cloudasset.viewer
  • roles/cloudasset.owner
  • roles/viewer
  • roles/editor
  • roles/owner

Documentation: https://cloud.google.com/asset-inventory/docs/searching-iam-policies

Supported resource types: https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types

这篇关于如何在Google Cloud Platform(GCP)中跨服务(API)，资源类型和项目列出，查找或搜索IAM策略?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！