IAM Custom Roles

Делаю!
30.05.2019


Взято отсюда:
https://www.qwiklabs.com/focuses/1035?parent=catalog


List predefined roles

$ gcloud iam roles list


Viewing the available permissions for a resource

$ echo $DEVSHELL_PROJECT_ID
qwiklabs-gcp-f9fcfa2b4bf50fb7


$ gcloud iam list-testable-permissions //cloudresourcemanager.googleapis.com/projects/$DEVSHELL_PROJECT_ID


Getting the role metadata

$ gcloud iam roles describe roles/viewer
$ gcloud iam roles describe roles/editor


Viewing the grantable roles on resources

$ gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/$DEVSHELL_PROJECT_ID


Creating a custom role

$ vi role-definition.yaml
title: "Role Editor"
description: "Edit access for App Versions"
stage: "ALPHA"
includedPermissions:
- appengine.versions.create
- appengine.versions.delete

$ gcloud iam roles create editor --project $DEVSHELL_PROJECT_ID \
--file role-definition.yaml


Create a custom role using flags

$ gcloud iam roles create viewer --project $DEVSHELL_PROJECT_ID \
--title "Role Viewer" --description "Custom role description." \
--permissions compute.instances.get,compute.instances.list --stage ALPHA


Listing the custom roles

$ gcloud iam roles list --project $DEVSHELL_PROJECT_ID
---
description: Edit access for App Versions
etag: BwWKG-vfYaM=
name: projects/qwiklabs-gcp-f9fcfa2b4bf50fb7/roles/editor
title: Role Editor
---
description: Custom role description.
etag: BwWKG-1zxk0=
name: projects/qwiklabs-gcp-f9fcfa2b4bf50fb7/roles/viewer
title: Role Viewer


$ gcloud iam roles list --project $DEVSHELL_PROJECT_ID --show-deleted


Editing an existing custom role

To update a custom role using a YAML file

// $ gcloud iam roles describe [ROLE_ID] --project $DEVSHELL_PROJECT_ID
$ gcloud iam roles describe editor --project $DEVSHELL_PROJECT_ID
description: Edit access for App Versions
etag: BwWKG-vfYaM=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
name: projects/qwiklabs-gcp-f9fcfa2b4bf50fb7/roles/editor
stage: ALPHA
title: Role Editor


$ vi new-role-definition.yaml

Вставляем содержимое предыдущего output. Добавляем:

  • storage.buckets.get
  • storage.buckets.list

Получаем:

description: Edit access for App Versions
etag: BwWKG-vfYaM=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-f9fcfa2b4bf50fb7/roles/editor
stage: ALPHA
title: Role Editor
// $ gcloud iam roles update [ROLE_ID] --project $DEVSHELL_PROJECT_ID
--file new-role-definition.yaml

$ gcloud iam roles update editor --project $DEVSHELL_PROJECT_ID \
--file new-role-definition.yaml


To update a custom role using flags

$ gcloud iam roles update viewer --project $DEVSHELL_PROJECT_ID \
--add-permissions storage.buckets.get,storage.buckets.list


Disabling a custom role

$ gcloud iam roles update viewer --project $DEVSHELL_PROJECT_ID \
--stage DISABLED


Deleting a custom role

$ gcloud iam roles delete viewer --project $DEVSHELL_PROJECT_ID


Undeleting a custom role

$ gcloud iam roles undelete viewer --project $DEVSHELL_PROJECT_ID


service-accounts

A service account is a special Google account that belongs to your application or a virtual machine (VM) instead of an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren’t directly involved.

For example, a Compute Engine VM may run as a service account, and that account can be given permissions to access the resources it needs. This way the service account is the identity of the service, and the service account’s permissions control which resources the service can access.

A service account is identified by its email address, which is unique to the account.


iam service-accounts list

$ gcloud iam service-accounts list
NAME                                    EMAIL                                                                                DISABLED
Compute Engine default service account  [email protected]                                   False
marley                                  [email protected]                         False
ql-api                                  qwiklabs-gcp-f9fcfa2b4bf50fb7@qwiklabs-gcp-f9fcfa2b4bf50fb7.iam.gserviceaccount.com  False
App Engine default service account      [email protected]                            False


Create a service account

$ export PROJECT_ID=$(gcloud config get-value project)
$ export SERVICE_ACCOUNT=marley

$ export SERVICE_ACCOUNT_EMAIL=${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com

$ gcloud iam service-accounts create ${SERVICE_ACCOUNT} \
--display-name "GCP Service Account"


$ gcloud projects add-iam-policy-binding ${PROJECT_ID} --member \
serviceAccount:${SERVICE_ACCOUNT_EMAIL} \
--role=roles/owner

// Generate a credentials file for upload to the cluster:

$ export KEY_FILE=${HOME}/secrets/${SERVICE_ACCOUNT_EMAIL}.json

$ gcloud iam service-accounts keys create ${KEY_FILE} \
--iam-account ${SERVICE_ACCOUNT_EMAIL}