我需要获取谷歌云中服务帐户的所有属性。是否可以列出所有属性,例如 Select *.
否则我需要以下信息:
我可以获取所有项目,然后获取其中的所有服务帐户,但我不知道如何获取所有其他值。
foreach ($project in gcloud projects list --format="value(projectId)")
{
Write-Host "ProjectId: $project"
foreach ($robot in gcloud iam service-accounts list --project $project --format="value(email)")
{
Write-Host " -> Robot $robot"
}
}
正如评论者所指出的,这并不是一件小事。
但是,我总是准备好一些
gcloud
-抨击;-)
您的代码示例表明您想要 PowerShell 中的答案,而我没有,希望您不介意 bash 中的指针(以下内容不完整):
是:
不:
PROJECTS=$(gcloud projects list --format="value(projectId)")
for PROJECT in ${PROJECTS}
do
echo "Project: ${PROJECT}"
# Extracts ACCOUNT_ID, EMAIL (==ACCOUNT_ID@...), DISABLED
ROBOTS=$(\
gcloud iam service-accounts list \
--project=${PROJECT} \
--format="csv[no-heading](displayName.encode(\"base64\"),email,email.split(\"@\").slice(0),disabled)")
for ROBOT in ${ROBOTS}
do
# Parse results
IFS=, read ENCODED_NAME EMAIL ACCOUNT_ID DISABLED <<< ${ROBOT}
NAME=$(echo -e ${ENCODED_NAME} | base64 --decode)
echo " Service Account: ${NAME}"
echo " Disabled: ${DISABLED}"
echo " Email: ${EMAIL}"
# Keys
KEYS=$(\
gcloud iam service-accounts keys list \
--iam-account=${EMAIL} \
--project=${PROJECT} \
--format="value(name.scope(keys))")
for KEY in ${KEYS}
do
echo " Key: ${KEY}"
done
# Creation (Only searches back 30-days!)
FILTER=""\
"logName=\"projects/${PROJECT}/logs/cloudaudit.googleapis.com%2Factivity\" "\
"resource.type=\"service_account\" "\
"protoPayload.methodName=\"google.iam.admin.v1.CreateServiceAccount\" "\
"protoPayload.request.account_id=\"${ACCOUNT_ID}\" "
LOG=$(\
gcloud logging read "${FILTER}" \
--project=${PROJECT} \
--format=json \
--freshness=30d \
--format="value(timestamp)")
echo " Created: ${LOG}"
done
done
注释
CreateServiceAccount[Key]
)。这样做的一个挑战是必须回溯项目的(整个)历史才能找到这些。base64
的粗糙 displayName
编码表示歉意。这是为了避免过度急切地解析包含空格的(大多数)名称。可能有更好的方法。采用 @DazWilin 的优秀脚本,通过一些 mods,它会生成所有服务帐户的服务帐户注册或 CSV 文件,包括它们的描述和密钥。删除日志刮擦可以加快速度。
#! /bin/bash
# Requires permission to list projects, list service accounts, view keys
if [ $# -lt 1 ]
then
echo "usage: $0 csv_output_file"
exit
fi
gcloud projects list --format="value(projectId)" --sort-by=projectId
OUTFILE=$1
FILTER='prefix'
PROJECTS=$(gcloud projects list --format="value(projectId)" --filter="${FILTER}")
echo "Project,ServiceAccountName,Account Name,Email,Description,key_id,key_created_at,key_expires_at" > $OUTFILE
for PROJECT in ${PROJECTS}
do
echo "Project: ${PROJECT}"
# Extracts ACCOUNT_ID, EMAIL (==ACCOUNT_ID@...), DISABLED, DESCRIPTION
ROBOTS=$(\
gcloud iam service-accounts list \
--project=${PROJECT} \
--format="csv[no-heading](displayName.encode(\"base64\"),email,email.split(\"@\").slice(0),disabled,description.encode(\"base64\"))")
#echo $ROBOTS
for ROBOT in ${ROBOTS}
do
# Parse results
IFS=, read ENCODED_NAME EMAIL ACCOUNT_ID DISABLED ENCODED_DESCR<<< ${ROBOT}
NAME=$(echo -e ${ENCODED_NAME} | base64 --decode)
DESCR=$(echo -e ${ENCODED_DESCR} | base64 --decode)
echo " Service Account: ${NAME}"
echo " Disabled: ${DISABLED}"
echo " Email: ${EMAIL}"
echo " Descr: ${DESCR}"
RESPONSE=$(\
gcloud iam service-accounts keys list \
--iam-account=${EMAIL} \
--project=${PROJECT} \
--format="csv[no-heading](name.scope(keys),validAfterTime,validBeforeTime)" \
)
IFS=$'\n' rows=($RESPONSE)
for row in "${rows[@]}"
do
echo "$PROJECT,$NAME, $ACCOUNT_ID,$EMAIL,$DESCR,$row" >> $OUTFILE
# IFS=$',' args=($row)
# keyname=args[0]
# created=args[1]
# expires=args[2]
done
done
done