借鉴了@DazWilin的优秀脚本,并进行了一些修改,它可以生成一个包含所有服务账户、包括描述和密钥的服务账户注册表或CSV文件。去除日志抓取可以加快速度。
#! /bin/bash
if [ $# -lt 1 ]
then
echo "usage: $0 csv_output_file"
exit
fi
gcloud projects list --format="value(projectId)" --sort-by=projectId
OUTFILE=$1
FILTER='prefix'
PROJECTS=$(gcloud projects list --format="value(projectId)" --filter="${FILTER}")
echo "Project,ServiceAccountName,Account Name,Email,Description,key_id,key_created_at,key_expires_at" > $OUTFILE
for PROJECT in ${PROJECTS}
do
echo "Project: ${PROJECT}"
ROBOTS=$(\
gcloud iam service-accounts list \
--project=${PROJECT} \
--format="csv[no-heading](displayName.encode(\"base64\"),email,email.split(\"@\").slice(0),disabled,description.encode(\"base64\"))")
for ROBOT in ${ROBOTS}
do
IFS=, read ENCODED_NAME EMAIL ACCOUNT_ID DISABLED ENCODED_DESCR<<< ${ROBOT}
NAME=$(echo -e ${ENCODED_NAME} | base64 --decode)
DESCR=$(echo -e ${ENCODED_DESCR} | base64 --decode)
echo " Service Account: ${NAME}"
echo " Disabled: ${DISABLED}"
echo " Email: ${EMAIL}"
echo " Descr: ${DESCR}"
RESPONSE=$(\
gcloud iam service-accounts keys list \
--iam-account=${EMAIL} \
--project=${PROJECT} \
--format="csv[no-heading](name.scope(keys),validAfterTime,validBeforeTime)" \
)
IFS=$'\n' rows=($RESPONSE)
for row in "${rows[@]}"
do
echo "$PROJECT,$NAME, $ACCOUNT_ID,$EMAIL,$DESCR,$row" >> $OUTFILE
done
done
done
gcloud iam service-accounts describe
和gcloud iam service-accounts keys list
将会给你一些细节信息。像 最后使用时间 这样的信息需要解析 Cloud Logging。日志保留默认为30天,因此您需要延长保留时间以便能够扫描超过30天的日志。 - John Hanleylist
方法来获取每个项目的服务账户信息。但是响应中可能并不包含您正在寻找的某些字段。 - Farid Shumbar