尝试删除分配给GCP用户的角色。

huangapple go评论69阅读模式
英文:

Trying to remove a a role assigned to a GCP user

问题

使用案例:我尝试删除分配给GCP项目内主体的所有角色。

据我了解,您无法直接执行此操作。
我在这里提到:https://cloud.google.com/iam/docs/samples/iam-modify-policy-remove-member

要执行此操作,我需要获取分配给GCP主体的当前角色列表。我在Python的任何地方都找不到此操作。有人看到过这个或知道如何执行此操作吗?

英文:

Use Case: I am trying to delete all the roles assigned to a principal inside a GCP project.

As I understand you can't perform that operation directly.
I am referring here: https://cloud.google.com/iam/docs/samples/iam-modify-policy-remove-member

To perform this operation, I would need a list of currently assigned roles for a GCP principal. I couldn't find this operation anywhere in Python. Has anyone seen this or know how to perform this operation?

答案1

得分: 1

Per @guillaume blaquiere 和 @John Hanley:

您可以获取项目的 IAM 策略,查找要移除的帐户,并在没有此 帐户 的情况下设置 IAM 策略。如果没有客户端库可用,可以使用发现 API 或直接使用 Rest API。

IAM 身份(主体)不是 Google Cloud 资源类型。如果您希望管理身份的 IAM 绑定,必须使用每个资源类型的 API(项目、存储、计算等)。项目的 IAM 绑定是 Resource Manager API 的一部分。示例 Python 代码。但是,IAM 角色可以分配给项目以及单独的资源,如 KMS 密钥、Cloud 存储对象等。如果一个身份在项目和资源(例如 Cloud 存储对象)的 IAM 角色绑定都存在,那么在项目级别移除角色绑定不会移除对象资源级别的角色。

注意:服务帐户身份是一个例外。它可以既是身份又是资源。作为资源时,它支持 IAM 绑定,就像项目一样。

英文:

Per @guillaume blaquiere and @John Hanley:

You can get the IAM policy on a project, look for the account you want to remove and set the IAM policies without this account. If there isn't client library for that, use the discovery API or directly the Rest API.

An IAM Identity (principal) is not a Google Cloud resource type. You must use the APIs for each resource type (project, storage, compute, etc.) if you wish to manage the IAM bindings for an identity. IAM Bindings for a project are part of the Resource Manager API. Example python code. However, IAM roles can be assigned at the PROJECT and at individual resources such as a KMS Key, Cloud Storage object, etc. If an identity has an IAM role binding at both the project and a resource (e.g. Cloud Storage object), removing the role binding at the project will not remove the role at the object resource level.

Note: A service account identity is an exception. It can be both an identity and a resource. Usage as an identity and as a resource is managed separately. When used as a resource, it supports IAM bindings, just like a project.

huangapple
  • 本文由 发表于 2023年4月11日 03:00:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/75979891.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定