stackoom
  简体   繁体   中英

Get list of assets/resource for a given project in GCP without any organization level permissions

 原文  2020-02-12 12:57:15       google-cloud-platform/ google-iam/ google-cloud-iam

Question

An option I have been exploring is below.

On reading document https://cloud.google.com/security-command-center/docs/how-to-api-list-assets#listing_all_assets , it is found that we can get list of all assets using Security Command Center API.

Following is the code provided in the documentation.

static ImmutableList<ListAssetsResult> listAssets(OrganizationName organizationName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Start setting up a request for to search for all assets in an organization.
    // OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
    ListAssetsRequest.Builder request =
        ListAssetsRequest.newBuilder().setParent(organizationName.toString());

    // Call the API.
    ListAssetsPagedResponse response = client.listAssets(request.build());

    // This creates one list for all assets.  If your organization has a large number of assets
    // this can cause out of memory issues.  You can process them incrementally by returning
    // the Iterable returned response.iterateAll() directly.
    ImmutableList<ListAssetsResult> results = ImmutableList.copyOf(response.iterateAll());
    System.out.println("All assets:");
    System.out.println(results);
    return results;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Running the commands in security command center returns error "PERMISSION_DENIED: Permission 'securitycenter.assets.list' denied on resource 'organizations/{organization-id}' (or resource may not exist)" in response.

According to the following document https://cloud.google.com/security-command-center/docs/access-control , the permission 'securitycenter.assets.list' needs to be set at ORGANIZATION LEVEL which is problematic.

I'm looking for a an option to by pass the above issue where I do not need organizational level permission or any other API which would help me get this done.

1 answers

solution1
 2  2020-02-12 13:32:35

To use the Security Command Center your project needs to be part of an organization. You also need permission at the Organization level. Your objective cannot be achieved at the Project Level.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question create service account and assign permissions/roles at the organization level in GCP get list of all sub-accounts from given organization in aws Gcloud/GCP : Project exists but I get an Error 404 The resource project/<project_id> was not found How to migrate a GCP Project from one organization to other How to list all projects in GCP that belongs to a specific organization Resource Under Project A migrate to Project B in same organisation in GCP How do I export(to a file) all people with a certain role per project in an organization in GCP? How to list all permissions granted to a specific principal on GCP? Getting a list of all project owners from GCP How to add my project to multiple GCP resource locations?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM