cloud engineer
How to create service account in GCP via Terraform.
provider "google" { project = "your_project_id" } resource "google_service_account" "service_account" { account_id = "your-service-account-name" display_name = "test service account built by terraform" } |
provider "google" { project = "your_project_id" } resource "google_service_account" "service_account" { account_id = "your-service-account-name" display_name = "test service account built by terraform" }
You can monitor the success or failure of a service account in GCP.
gcloud policy-intelligence query-activity \ --activity-type=ACTIVITY_TYPE \ --project=PROJECT_ID \ --limit=LIMIT |
gcloud policy-intelligence query-activity \ --activity-type=ACTIVITY_TYPE \ --project=PROJECT_ID \ --limit=LIMIT
The two options you can use for ACTIVITY_TYPE are:
How to list all the keys of a GCP service account.
gcloud iam service-accounts keys list \ --iam-account=your-service-account@your-project-id.iam.gserviceaccount.com \ --project project-id |
gcloud iam service-accounts keys list \ --iam-account=your-service-account@your-project-id.iam.gserviceaccount.com \ --project project-id
Result. Keys are redacted.
KEY_ID CREATED_AT EXPIRES_AT DISABLED xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-10T19:21:18Z 2022-01-26T19:21:18Z xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-19T00:06:49Z 2022-02-04T00:06:49Z |
KEY_ID CREATED_AT EXPIRES_AT DISABLED xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-10T19:21:18Z 2022-01-26T19:21:18Z xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2022-01-19T00:06:49Z 2022-02-04T00:06:49Z
How to activate a GCP service account for other users in Linux.
First generate a key for the service account. Save as key.json.
Login to the server as that user and copy the key there. Activate the service account.
$ gcloud auth activate-service-account [ACCOUNT] --key-file=key.json |
$ gcloud auth activate-service-account [ACCOUNT] --key-file=key.json
Once authenticated, you should be able to check if service account is active.
$ gcloud config list |
$ gcloud config list
A better option without needing a key.
gcloud config set core/account service-account@project-id.iam.gserviceaccount.com |
gcloud config set core/account service-account@project-id.iam.gserviceaccount.com
How to display roles assigned to a GCP service account.
gcloud projects get-iam-policy your-project-id \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:your-service-account@your-project.iam.gserviceaccount.com" |
gcloud projects get-iam-policy your-project-id \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:your-service-account@your-project.iam.gserviceaccount.com"
Result
ROLE organizations/xxxxxxxxxxxxx/roles/role-name roles/compute.instanceAdmin.v1 roles/compute.networkViewer roles/logging.logWriter roles/monitoring.metricWriter |
ROLE organizations/xxxxxxxxxxxxx/roles/role-name roles/compute.instanceAdmin.v1 roles/compute.networkViewer roles/logging.logWriter roles/monitoring.metricWriter
How to display a list service accounts in a GCP project.
gcloud iam service-accounts list --project your-project |
gcloud iam service-accounts list --project your-project
Here’s how to list GCP firewall rules while filtering a service account. Output is exported as a CSV file.
gcloud compute firewall-rules list \ --project host-project \ --filter=service-account-name \ --format="csv( name, network, direction, priority, sourceRanges.list():label=SRC_RANGES, destinationRanges.list():label=DEST_RANGES, allowed[].map().firewall_rule().list():label=ALLOW, denied[].map().firewall_rule().list():label=DENY, sourceTags.list():label=SRC_TAGS, sourceServiceAccounts.list():label=SRC_SVC_ACCT, targetTags.list():label=TARGET_TAGS, targetServiceAccounts.list():label=TARGET_SVC_ACCT, disabled)" \ > export.csv |
gcloud compute firewall-rules list \ --project host-project \ --filter=service-account-name \ --format="csv( name, network, direction, priority, sourceRanges.list():label=SRC_RANGES, destinationRanges.list():label=DEST_RANGES, allowed[].map().firewall_rule().list():label=ALLOW, denied[].map().firewall_rule().list():label=DENY, sourceTags.list():label=SRC_TAGS, sourceServiceAccounts.list():label=SRC_SVC_ACCT, targetTags.list():label=TARGET_TAGS, targetServiceAccounts.list():label=TARGET_SVC_ACCT, disabled)" \ > export.csv
GCP recently added Instance Schedule to its console.
To configure, perform the following.
– Create an instance schedule.
– Add instance(s) to a schedule.
– If no errors, the service account has the correct permissions.
The service account used by Instance Schedule is owned by GCP and is not visible in the GCP console.
If service account has no permissions, the you must perform the following.
– Create a custom role with compute.instances.start and compute.instances.stop permissions.
– Add custom role to the service account.
Finally, validate instances are starting and stopping based on schedule.