我有一个非常简单的bash脚本,我运行它来创建我在云中的服务列表:
#!/bin/bash
##############################################################
# This script will list all services in all projects in GCP #
##############################################################
for PROJECT in $(
gcloud projects list
--format="value(projectId)")
do
echo "Project: ${PROJECT}"
echo "----------- Services -----------"
gcloud services list --project=${PROJECT}
echo "----------- Kubernetes Clusters -----------"
gcloud container clusters list --project=${PROJECT} | awk '{print $1}' | grep -v NAME
echo "----------- Compute Engine instances -----------"
gcloud compute instances list --project=${PROJECT} | awk '{print $1}' | grep -v NAME
echo "----------- SQL Instance List -----------"
gcloud sql instances list --project=${PROJECT} | grep -v NAME | awk '{print $1}'
echo "----------- BigTable Instance List ----------"
gcloud bigtable instances list --project=${PROJECT}
echo "----------- PubSub Topic List ----------"
gcloud pubsub topics list --project=${PROJECT} | sed 's/---//g' | sed '/^[[:space:]]*$/d' | awk '{print $2}'
echo "----------- Functions List ----------"
gcloud functions list --project=${PROJECT} | grep -v NAME | awk '{print $1}'
echo "----------- Datflow jobs List ----------"
gcloud dataflow jobs list --project=${PROJECT} | awk '{print $2}' | grep -v NAME
echo "----------- Redis Instance List ----------"
for REGION in `gcloud compute regions list | grep -v NAME | awk '{print $1}'`
do
gcloud redis instances list --region=$REGION | grep -v NAME | awk '{print $1}'
done
#echo "----------- Service Accounts ------------"
#for ACCOUNT in $(
#gcloud iam service-accounts list
#--project=${PROJECT}
#--format="value(email)")
#do
#echo "---------- Service Account keys: ${ACCOUNT} -----------"
#gcloud iam service-accounts list --project=${PROJECT} | grep -v NAME | awk '{print $1}' | sort -n | uniq
#done
有没有办法让我知道是哪个用户创建了这些服务?我现在有一堆我不知道属于谁的胭脂服务。是否有一种方法,我可以添加一个功能到我的脚本,以获得创建服务的原始用户?
感谢我也写过类似的回答。
方法是对google.api.serviceusage.v1.ServiceUsage.EnableService方法的云审计日志进行grep,然后启用器是protoPayload.authenticationInfo.principalEmail,并且(不太自信)启用的服务出现在protoPayload.authorizationInfo下的任何切片元素中(下面的示例使用一个)。
PROJECT=...
FILTER="
logName="projects/${PROJECT}/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName="google.api.serviceusage.v1.ServiceUsage.EnableService"
"
WHOM="protoPayload.authenticationInfo.principalEmail"
WHAT="protoPayload.authorizationInfo[0].resource"
gcloud logging read "${FILTER}"
--project=${PROJECT}
--format="value(${WHOM},${WHAT})"