cloud engineer
by Ulysses
You can monitor the success or failure of a service account in GCP.
gcloud policy-intelligence query-activity \ --activity-type=ACTIVITY_TYPE \ --project=PROJECT_ID \ --limit=LIMIT |
gcloud policy-intelligence query-activity \ --activity-type=ACTIVITY_TYPE \ --project=PROJECT_ID \ --limit=LIMIT
The two options you can use for ACTIVITY_TYPE are:
by Ulysses
How to list all the keys of a GCP service account.
gcloud iam service-accounts keys list \ --iam-account=your-service-account@your-project-id.iam.gserviceaccount.com \ --project project-id |
gcloud iam service-accounts keys list \ --iam-account=your-service-account@your-project-id.iam.gserviceaccount.com \ --project project-id
Result. Keys are redacted.
KEY_ID CREATED_AT EXPIRES_AT DISABLED xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-10T19:21:18Z 2022-01-26T19:21:18Z xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-19T00:06:49Z 2022-02-04T00:06:49Z |
KEY_ID CREATED_AT EXPIRES_AT DISABLED xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-10T19:21:18Z 2022-01-26T19:21:18Z xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-19T00:06:49Z 2022-02-04T00:06:49Z
by Ulysses
How to activate a GCP service account for other users in Linux.
First generate a key for the service account. Save as key.json.
Login to the server as that user and copy the key there. Activate the service account.
$ gcloud auth activate-service-account [ACCOUNT] --key-file=key.json |
$ gcloud auth activate-service-account [ACCOUNT] --key-file=key.json
Once authenticated, you should be able to check if service account is active.
$ gcloud config list |
$ gcloud config list
A better option without needing a key.
gcloud config set core/account service-account@project-id.iam.gserviceaccount.com |
gcloud config set core/account service-account@project-id.iam.gserviceaccount.com
by Ulysses
How to display roles assigned to a GCP service account.
gcloud projects get-iam-policy your-project-id \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:your-service-account@your-project.iam.gserviceaccount.com" |
gcloud projects get-iam-policy your-project-id \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:your-service-account@your-project.iam.gserviceaccount.com"
Result
ROLE organizations/xxxxxxxxxxxxx/roles/role-name roles/compute.instanceAdmin.v1 roles/compute.networkViewer roles/logging.logWriter roles/monitoring.metricWriter |
ROLE organizations/xxxxxxxxxxxxx/roles/role-name roles/compute.instanceAdmin.v1 roles/compute.networkViewer roles/logging.logWriter roles/monitoring.metricWriter
by Ulysses
How to display a list service accounts in a GCP project.
gcloud iam service-accounts list --project your-project |
gcloud iam service-accounts list --project your-project
by Ulysses
Here’s how to list GCP firewall rules while filtering a service account. Output is exported as a CSV file.
gcloud compute firewall-rules list \ --project host-project \ --filter=service-account-name \ --format="csv( name, network, direction, priority, sourceRanges.list():label=SRC_RANGES, destinationRanges.list():label=DEST_RANGES, allowed[].map().firewall_rule().list():label=ALLOW, denied[].map().firewall_rule().list():label=DENY, sourceTags.list():label=SRC_TAGS, sourceServiceAccounts.list():label=SRC_SVC_ACCT, targetTags.list():label=TARGET_TAGS, targetServiceAccounts.list():label=TARGET_SVC_ACCT, disabled)" \ > export.csv |
gcloud compute firewall-rules list \ --project host-project \ --filter=service-account-name \ --format="csv( name, network, direction, priority, sourceRanges.list():label=SRC_RANGES, destinationRanges.list():label=DEST_RANGES, allowed[].map().firewall_rule().list():label=ALLOW, denied[].map().firewall_rule().list():label=DENY, sourceTags.list():label=SRC_TAGS, sourceServiceAccounts.list():label=SRC_SVC_ACCT, targetTags.list():label=TARGET_TAGS, targetServiceAccounts.list():label=TARGET_SVC_ACCT, disabled)" \ > export.csv
by Ulysses
GCP recently added Instance Schedule to its console.
To configure, perform the following.
– Create an instance schedule.
– Add instance(s) to a schedule.
– If no errors, the service account has the correct permissions.
The service account used by Instance Schedule is owned by GCP and is not visible in the GCP console.
If service account has no permissions, the you must perform the following.
– Create a custom role with compute.instances.start and compute.instances.stop permissions.
– Add custom role to the service account.
Finally, validate instances are starting and stopping based on schedule.
by Ulysses
Here’s the command to authenticate as a service account.
gcloud auth activate-service-account --key-file=key.json |
gcloud auth activate-service-account --key-file=key.json
To log out.
gcloud auth revoke |
gcloud auth revoke