英文:
GCP SDK API for Policy Analyzer for Python
问题
我可以看到通过以下方式在gcloud CLI中查看Service Account的使用情况:
gcloud policy-intelligence query-activity --activity-type=serviceAccountKeyLastAuthentication --project=<project_name>
我想在Python脚本中复制这个操作。
我正在尝试这样做,但不确定如何进行身份验证,尽管已启用API,但我遇到了401错误。我正在遵循此文档:https://cloud.google.com/policy-intelligence/docs/activity-analyzer-service-account-authentication#iam-get-service-account-key-id-rest
import requests
r = requests.get(f"https://policyanalyzer.googleapis.com/v1/projects/{self.project_id}/locations/global/activityTypes/serviceAccountKeyLastAuthentication/activities:query?filter=activities.full_resource_name%3D%22%2F%2Fiam.googleapis.com%2Fprojects%2F{self.project_id}%2FserviceAccounts%2F{self.sa_email}%2Fkeys%2F{self.key_id}%22")
我需要对请求调用进行身份验证吗?在脚本的其余部分中,我使用了Python客户端库,使用discovery.build 进行身份验证,如下所示:
credentials, project = google.auth.default()
self.crm = discovery.build("cloudresourcemanager", "v3", credentials=credentials)
似乎没有一个名为"policy analyzer"的Python库,因此我不确定下一步该怎么做。
最终目标是查看组织中每个服务帐户密钥的最后一次密钥认证时间。
谢谢!
英文:
I can see the Service Account usage out of gcloud CLI by doing as such:
gcloud policy-intelligence query-activity --activity-type=serviceAccountKeyLastAuthentication --project=<project_name>
I would like to replicate this in a python script..
I am attempting to this do this but I am not sure how to authenticate, and I am getting a 401 error, despite having enabled the API. I am following this documentation. https://cloud.google.com/policy-intelligence/docs/activity-analyzer-service-account-authentication#iam-get-service-account-key-id-rest
import requests
r = requests.get(f"https://policyanalyzer.googleapis.com/v1/projects/{self.project_id}/locations/global/activityTypes/serviceAccountKeyLastAuthentication/activities:query?filter=activities.full_resource_name%3D%22%2F%2Fiam.googleapis.com%2Fprojects%2F{self.project_id}%2FserviceAccounts%2F{self.sa_email}%2Fkeys%2F{self.key_id}%22"
Is there some way I need to authenticate my request call? The rest of the script I am using the python client libraries using discovery.build and authenticating as such:
credentials, project = google.auth.default()
self.crm = discovery.build("cloudresourcemanager", "v3", credentials=credentials)
There does not seem to be a "policy analyzer" python library, so I am not sure on next steps.
The end goal is to see the last key authentication time of every service account key in the organization.
Thanks!
答案1
得分: 1
你可以查看此链接以获取示例Python代码。
请注意,此功能仍处于预览阶段,目前尚无用于该功能的Python客户端。使用gcloud命令行界面和REST是以编程方式访问此功能的方法。
英文:
You may check this link for the sample Python code
Do note that the feature is still in preview and does not have a Python client for the same yet. The gcloud cli and REST is the way of accessing this feature programmatically.
答案2
得分: 0
请看这个页面底部显示的Python示例:
https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys/list
示例演示了如何获取用于传递给客户端的应用程序默认凭据。你也可以通过HTTP请求来实现相同的操作,但上面的示例应该会有所帮助。
此外,如果你查看原始的curl请求,如果将筛选器解码为Unicode,它应该是:
activities.full_resource_name="//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID"
假设你是从示例curl请求中获取的。
1: https://cloud.google.com/policy-intelligence/docs/activity-analyzer-service-account-authentication#view-recent-specific-key
英文:
Take a look at the python example shown towards the bottom of the page here:
https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys/list
It shows how to get application default credentials used to pass in the client. You could accomplish the same with http requests, but that example above should help.
Also, looking at the original curl request, if you decode the filter to unicode it should be:
> activities.full_resource_name="//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID"
Assuming you got it from the sample curl request.
1: https://cloud.google.com/policy-intelligence/docs/activity-analyzer-service-account-authentication#view-recent-specific-key
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论