• Skip to main content

Uly.me

cloud engineer

  • Home
  • About
  • Archives

service account

GCP Create Service Account via Terraform

June 27, 2022

How to create service account in GCP via Terraform.

provider "google" {
  project = "your_project_id"
}
resource "google_service_account" "service_account" {
  account_id   = "your-service-account-name"
  display_name = "test service account built by terraform"
}

provider "google" { project = "your_project_id" } resource "google_service_account" "service_account" { account_id = "your-service-account-name" display_name = "test service account built by terraform" }

Filed Under: Cloud Tagged With: create, gcp, service account, terraform

GCP Monitor Service Account

February 24, 2022

You can monitor the success or failure of a service account in GCP.

gcloud policy-intelligence query-activity \
--activity-type=ACTIVITY_TYPE \ 
--project=PROJECT_ID \
--limit=LIMIT

gcloud policy-intelligence query-activity \ --activity-type=ACTIVITY_TYPE \ --project=PROJECT_ID \ --limit=LIMIT

The two options you can use for ACTIVITY_TYPE are:

  • serviceAccountKeyLastAuthentication
  • serviceAccountLastAuthentication

Filed Under: Cloud Tagged With: gcp, keys, monitor, service account

GCP List Keys of Service Account

January 26, 2022

How to list all the keys of a GCP service account.

gcloud iam service-accounts keys list \
--iam-account=your-service-account@your-project-id.iam.gserviceaccount.com \
--project project-id

gcloud iam service-accounts keys list \ --iam-account=your-service-account@your-project-id.iam.gserviceaccount.com \ --project project-id

Result. Keys are redacted.

KEY_ID                                    CREATED_AT            EXPIRES_AT            DISABLED
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  2022-01-10T19:21:18Z  2022-01-26T19:21:18Z
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  2022-01-19T00:06:49Z  2022-02-04T00:06:49Z

KEY_ID CREATED_AT EXPIRES_AT DISABLED xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-10T19:21:18Z 2022-01-26T19:21:18Z xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-19T00:06:49Z 2022-02-04T00:06:49Z

Filed Under: Cloud Tagged With: gcp, keys, list, service account

GCP Activate Service Account

December 10, 2021

How to activate a GCP service account for other users in Linux.

First generate a key for the service account. Save as key.json.

Login to the server as that user and copy the key there. Activate the service account.

$ gcloud auth activate-service-account [ACCOUNT] --key-file=key.json

$ gcloud auth activate-service-account [ACCOUNT] --key-file=key.json

Once authenticated, you should be able to check if service account is active.

$ gcloud config list

$ gcloud config list

A better option without needing a key.

gcloud config set core/account service-account@project-id.iam.gserviceaccount.com

gcloud config set core/account service-account@project-id.iam.gserviceaccount.com

Filed Under: Cloud Tagged With: activate, gcp, json, key, service account

GCP Display Roles on Service Account

October 6, 2021

How to display roles assigned to a GCP service account.

gcloud projects get-iam-policy your-project-id \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:your-service-account@your-project.iam.gserviceaccount.com"

gcloud projects get-iam-policy your-project-id \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:your-service-account@your-project.iam.gserviceaccount.com"

Result

ROLE
organizations/xxxxxxxxxxxxx/roles/role-name
roles/compute.instanceAdmin.v1
roles/compute.networkViewer
roles/logging.logWriter
roles/monitoring.metricWriter

ROLE organizations/xxxxxxxxxxxxx/roles/role-name roles/compute.instanceAdmin.v1 roles/compute.networkViewer roles/logging.logWriter roles/monitoring.metricWriter

Filed Under: Cloud Tagged With: display, gcp, project, roles, service account

GCP List Service Accounts in Project

October 6, 2021

How to display a list service accounts in a GCP project.

gcloud iam service-accounts list --project your-project

gcloud iam service-accounts list --project your-project

Filed Under: Cloud Tagged With: gcp, list, service account

GCP List Firewall Rules

September 10, 2021

Here’s how to list GCP firewall rules while filtering a service account. Output is exported as a CSV file.

gcloud compute firewall-rules list \
--project host-project \
--filter=service-account-name \
--format="csv(
name,
network,
direction,
priority,
sourceRanges.list():label=SRC_RANGES,
destinationRanges.list():label=DEST_RANGES,
allowed[].map().firewall_rule().list():label=ALLOW,
denied[].map().firewall_rule().list():label=DENY,
sourceTags.list():label=SRC_TAGS,
sourceServiceAccounts.list():label=SRC_SVC_ACCT,
targetTags.list():label=TARGET_TAGS,
targetServiceAccounts.list():label=TARGET_SVC_ACCT,
disabled)" \
> export.csv

gcloud compute firewall-rules list \ --project host-project \ --filter=service-account-name \ --format="csv( name, network, direction, priority, sourceRanges.list():label=SRC_RANGES, destinationRanges.list():label=DEST_RANGES, allowed[].map().firewall_rule().list():label=ALLOW, denied[].map().firewall_rule().list():label=DENY, sourceTags.list():label=SRC_TAGS, sourceServiceAccounts.list():label=SRC_SVC_ACCT, targetTags.list():label=TARGET_TAGS, targetServiceAccounts.list():label=TARGET_SVC_ACCT, disabled)" \ > export.csv

Filed Under: Cloud Tagged With: filter, firewall, gcp, list, rules, service account

GCP Instance Scheduler

May 28, 2021

GCP recently added Instance Schedule to its console.

To configure, perform the following.

– Create an instance schedule.
– Add instance(s) to a schedule.
– If no errors, the service account has the correct permissions.

The service account used by Instance Schedule is owned by GCP and is not visible in the GCP console.

If service account has no permissions, the you must perform the following.

– Create a custom role with compute.instances.start and compute.instances.stop permissions.
– Add custom role to the service account.

Finally, validate instances are starting and stopping based on schedule.

Filed Under: Cloud Tagged With: configuration, gcp, instance schedule, service account

  • Go to page 1
  • Go to page 2
  • Go to Next Page »
  • Home
  • About
  • Archives

Copyright © 2023