我对Python非常在行,目前我正尝试使用以下方法获取并过滤GCP上的get iam策略查询的结果:
from pprint import pprint
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
service = discovery.build('cloudresourcemanager', 'v1', credentials=credentials)
# REQUIRED: The resource for which the policy is being requested.
# See the operation documentation for the appropriate value for this field.
resource = 'my-resource' # TODO: Update placeholder value.
get_iam_policy_request_body = {
# TODO: Add desired entries to the request body.
}
request = service.projects().getIamPolicy(resource=resource, body=get_iam_policy_request_body)
response = request.execute()
pprint(response)
它工作得很好,我得到了这样的结果:
"version": 1,
"etag": "VfRwfrGwlFjdc=",
"bindings": [
{
"role": "roles/cloudasset.serviceAgent",
"members": [
"serviceAccount:service-999999999999@gcp-sa-cloudasset.iam.gserviceaccount.com"
]
},
{
"role": "roles/cloudbuild.builds.builder",
"members": [
"serviceAccount:999999999999@cloudbuild.gserviceaccount.com"
]
},
{
"role": "roles/cloudbuild.serviceAgent",
"members": [
"serviceAccount:service-999999999999@gcp-sa-cloudbuild.iam.gserviceaccount.com"
]
},
{
"role": "roles/cloudfunctions.serviceAgent",
"members": [
"serviceAccount:service-999999999999@gcf-admin-robot.iam.gserviceaccount.com"
]
},
{
"role": "roles/cloudsql.client",
"members": [
"serviceAccount:myproject-backup@myproject.iam.gserviceaccount.com"
]
},
{
"role": "roles/compute.serviceAgent",
"members": [
"serviceAccount:service-999999999999@compute-system.iam.gserviceaccount.com"
]
},
{
"role": "roles/container.serviceAgent",
"members": [
"serviceAccount:service-999999999999@container-engine-robot.iam.gserviceaccount.com"
]
},
{
"role": "roles/containeranalysis.ServiceAgent",
"members": [
"serviceAccount:service-999999999999@container-analysis.iam.gserviceaccount.com"
]
},
{
"role": "roles/containerscanning.ServiceAgent",
"members": [
"serviceAccount:service-999999999999@gcp-sa-containerscanning.iam.gserviceaccount.com"
]
},
{
"role": "roles/containerthreatdetection.serviceAgent",
"members": [
"serviceAccount:service-999999999999@gcp-sa-ktd-control.iam.gserviceaccount.com"
]
},
{
"role": "roles/editor",
"members": [
"serviceAccount:999999999999-compute@developer.gserviceaccount.com",
"serviceAccount:999999999999@cloudservices.gserviceaccount.com",
"serviceAccount:myproject@appspot.gserviceaccount.com",
"serviceAccount:service-999999999999@containerregistry.iam.gserviceaccount.com"
]
},
{
"role": "roles/owner",
"members": [
"serviceAccount:terraform@myproject.iam.gserviceaccount.com",
"user:myuser@acme.com"
]
},
{
"role": "roles/servicenetworking.serviceAgent",
"members": [
"serviceAccount:service-999999999999@service-networking.iam.gserviceaccount.com"
]
},
{
"role": "roles/websecurityscanner.serviceAgent",
"members": [
"serviceAccount:service-999999999999@gcp-sa-websecurityscanner.iam.gserviceaccount.com"
]
}
]
}
但我不知道如何进行筛选,以便只获取“角色/所有者”组的成员。就我而言:
{
"role": "roles/owner",
"members": [
"serviceAccount:terraform@myproject.iam.gserviceaccount.com",
"user:myuser@acme.com"
]
}
并将它们放入变量中,以便以后打印或重用
有人知道怎么做吗
祝你今天愉快
response
是一个dict,其中包含一个名为'bindings'
的键,它是dict的列表。DICT可以通过[]
访问,列表可以通过python核心库中的filter
过滤把这些放在一起,你可以做到:
请在现有代码中添加以下行:
如果您搜索IAM策略,我建议您使用Asset Inventory Search IAM policies。您可以在命令行中使用它,如下所示:
在python代码中like this
相关问题 更多 >
编程相关推荐